Fix #73280: Stack Buffer Overflow in GD dynamicGetbuf

We make sure to never pass a negative `rlen` as size to memcpy().

Cf. <https://github.com/libgd/libgd/commit/53110871>.

(cherry picked from commit cc08cbc84d46933c1e9e0149633f1ed5d19e45e9)

diff --git a/ext/gd/libgd/gd_io_dp.c b/ext/gd/libgd/gd_io_dp.c
index bfeb4cb4bb9aa59bbab842df5294fb05849822b6..4dcedde8ccbc4afa7825d0abdffe4ab948bebe1a 100644 (file)
--- a/ext/gd/libgd/gd_io_dp.c
+++ b/ext/gd/libgd/gd_io_dp.c
@@ -237,7 +237,7 @@ static int dynamicGetbuf (gdIOCtxPtr ctx, void *buf, int len)
        if (remain >= len) {
                rlen = len;
        } else {
-               if (remain == 0) {
+               if (remain <= 0) {
                        return EOF;
                }
                rlen = remain;