]> granicus.if.org Git - php/commit
projects / php / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 014b95a) | patch
Fixed Bug #66815 imagecrop(): insufficient fix for NULL defer CVE-2013-7327
authorRemi Collet <remi@php.net>
Wed, 5 Mar 2014 09:40:36 +0000 (10:40 +0100)
committerRemi Collet <remi@php.net>
Wed, 5 Mar 2014 09:40:36 +0000 (10:40 +0100)
commitaf09d8b96a8aacdd7d738fec81b695c1c58368f7
tree8ebbd84fce5d45b214ead7c93ea2a8ad8742f8a7tree | snapshot
parent014b95a0a7b638787aaa3d6ed864b6c3eaed3910commit | diff
Fixed Bug #66815 imagecrop(): insufficient fix for NULL defer CVE-2013-7327

This amends commit 8f4a537, which aimed to correct NULL dereference because of
missing check of gdImageCreateTrueColor() / gdImageCreate() return value.  That
commit checks for negative crop rectangle width and height, but
gdImageCreate*() can also return NULL when width * height overflows.  Hence
NULL deref is still possible, as gdImageSaveAlpha() and gdImagePaletteCopy()
is called before dst == NULL check.

This moves NULL check to happen right after gdImageCreate*().  It also removes
width and height check before gdImageCreate*(), as the same check is done by
image create functions (with an extra warning).

From thoger redhat com
ext/gd/libgd/gd_crop.c diff | blob | history
ext/gd/tests/bug66356.phpt diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.