- libgd #94, imagecreatefromxbm can crash if gdImageCreate fails

diff --git a/ext/gd/libgd/xbm.c b/ext/gd/libgd/xbm.c
index 7a0ca8c40cf964c28d1a86fd1be96d99dd6807fa..53a0d636797d3e82ed7d1cc31dbaef974f7ea00d 100644 (file)
--- a/ext/gd/libgd/xbm.c
+++ b/ext/gd/libgd/xbm.c
@@ -96,7 +96,9 @@ gdImagePtr gdImageCreateFromXbm(FILE * fd)
                return 0;
        }
 
-       im = gdImageCreate(width, height);
+       if(!(im = gdImageCreate(width, height))) {
+               return 0;
+       }
        gdImageColorAllocate(im, 255, 255, 255);
        gdImageColorAllocate(im, 0, 0, 0);
        h[2] = '\0';

diff --git a/ext/gd/tests/libgd00094.phpt b/ext/gd/tests/libgd00094.phpt
new file mode 100644 (file)
index 0000000..d1d68ea
--- /dev/null
+++ b/ext/gd/tests/libgd00094.phpt
@@ -0,0 +1,19 @@
+--TEST--
+libgd #94 (imagecreatefromxbm can crash if gdImageCreate fails)
+--SKIPIF--
+<?php
+       if (!extension_loaded('gd')) die("skip gd extension not available\n");
+       if (!GD_BUNDLED) die("skip requires bundled GD library\n");
+?>
+--FILE--
+<?php
+$im = imagecreatefromxbm(dirname(__FILE__) . '/libgd00094.xbm');
+var_dump($im);
+?>
+--EXPECTF--
+Warning: imagecreatefromxbm(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+ in %slibgd00094.php on line %d
+
+Warning: imagecreatefromxbm(): '%slibgd00094.xbm' is not a valid XBM file in %slibgd00094.php on line %d
+bool(false)
+

diff --git a/ext/gd/tests/libgd00094.xbm b/ext/gd/tests/libgd00094.xbm
new file mode 100644 (file)
index 0000000..4d0f5bd
--- /dev/null
+++ b/ext/gd/tests/libgd00094.xbm
@@ -0,0 +1,3 @@
+#define width 255
+#define height 1073741824
+static unsigned char bla = {