PHP 4 NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2007, Version 4.4.7
+- Fixed CVE-2007-1001, GD wbmp used with invalid image size (Pierre)
- Fixed bug #40747 (possible crash in session when save_path is out of
open_basedir). (Tony)
libgd/gdxpm.c libgd/gdfontt.c libgd/gdfonts.c libgd/gdfontmb.c libgd/gdfontl.c \
libgd/gdfontg.c libgd/gdtables.c libgd/gdft.c libgd/gdcache.c libgd/gdkanji.c \
libgd/wbmp.c libgd/gd_wbmp.c libgd/gdhelpers.c libgd/gd_topal.c libgd/gd_gif_in.c \
- libgd/xbm.c libgd/gd_gif_out.c "
+ libgd/xbm.c libgd/gd_gif_out.c libgd/gd_security.c"
dnl check for fabsf and floorf which are available since C99
AC_CHECK_FUNCS(fabsf floorf)
# End Source File\r
# Begin Source File\r
\r
+SOURCE=.\gd_security.c\r
+# End Source File\r
+# Begin Source File\r
+\r
SOURCE=.\gdttf.c\r
# End Source File\r
# End Group\r
--- /dev/null
+/*
+ * gd_security.c
+ *
+ * Implements buffer overflow check routines.
+ *
+ * Written 2004, Phil Knirsch.
+ * Based on netpbm fixes by Alan Cox.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+#include "gd.h"
+
+int overflow2(int a, int b)
+{
+ if(a < 0 || b < 0) {
+ php_gd_error("gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
+ return 1;
+ }
+ if(b == 0)
+ return 0;
+ if(a > INT_MAX / b) {
+ php_gd_error("gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
+ return 1;
+ }
+ return 0;
+}
#define gdPFree(ptr) pefree(ptr, 1)
#define gdPEstrdup(ptr) pestrdup(ptr, 1)
+/* Returns nonzero if multiplying the two quantities will
+ result in integer overflow. Also returns nonzero if
+ either quantity is negative. By Phil Knirsch based on
+ netpbm fixes by Alan Cox. */
+
+int overflow2(int a, int b);
+
#ifdef ZTS
#define gdMutexDeclare(x) MUTEX_T x
#define gdMutexSetup(x) x = tsrm_mutex_alloc()
if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL)
return (NULL);
+ if (overflow2(sizeof (int), width)) {
+ gdFree(wbmp);
+ return NULL;
+ }
+ if (overflow2(sizeof (int) * width, height)) {
+ gdFree(wbmp);
+ return NULL;
+ }
+
if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), (width * height), 0)) == NULL)
{
gdFree (wbmp);
printf ("W: %d, H: %d\n", wbmp->width, wbmp->height);
#endif
+ if (overflow2(sizeof (int), wbmp->width) ||
+ overflow2(sizeof (int) * wbmp->width, wbmp->height))
+ {
+ gdFree(wbmp);
+ return (-1);
+ }
+
if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), (wbmp->width * wbmp->height), 0)) == NULL)
{
gdFree (wbmp);
--- /dev/null
+--TEST--
+imagecreatefromwbmp with invalid wbmp
+--SKIPIF--
+<?php
+ if (!function_exists('imagecreatefromwbmp')) die("skip gd extension not available\n");
+?>
+--FILE--
+<?php
+$filename = dirname(__FILE__) . '/_tmp.wbmp';
+$fp = fopen($filename,"wb");
+if (!$fp) {
+ exit("Failed to create <$filename>");
+}
+
+//write header
+$c = 0;
+fputs($fp, chr($c), 1);
+fputs($fp, $c, 1);
+
+//write width = 2^32 / 4 + 1
+$c = 0x84;
+fputs($fp, chr($c), 1);
+$c = 0x80;
+fputs($fp, chr($c), 1);
+fputs($fp, chr($c), 1);
+fputs($fp, chr($c), 1);
+$c = 0x01;
+fputs($fp, chr($c), 1);
+
+/*write height = 4*/
+$c = 0x04;
+fputs($fp, chr($c), 1);
+
+/*write some data to cause overflow*/
+for ($i=0; $i<10000; $i++) {
+ fwrite($fp, chr($c), 1);
+}
+
+fclose($fp);
+$im = imagecreatefromwbmp($filename);
+unlink($filename);
+?>
+--EXPECTF--
+Warning: imagecreatefromwbmp() [/phpmanual/function.imagecreatefromwbmp.html]: gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+ in %s on line %d
+
+Warning: imagecreatefromwbmp() [/phpmanual/function.imagecreatefromwbmp.html]: '%s' is not a valid WBMP file in %s on line %d
projects / php / commitdiff