|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ?? 2017, PHP 5.6.30
+- GD:
+ . Fixed bug #73549 (Use after free when stream is passed to imagepng). (cmb)
+
08 Dec 2016, PHP 5.6.29
- Mbstring:
}
static void _php_image_stream_ctxfree(struct gdIOCtx *ctx)
+{
+ if(ctx->data) {
+ ctx->data = NULL;
+ }
+ if(ctx) {
+ efree(ctx);
+ }
+} /* }}} */
+
+static void _php_image_stream_ctxfreeandclose(struct gdIOCtx *ctx) /* {{{ */
{
TSRMLS_FETCH();
gdIOCtx *ctx = NULL;
zval *to_zval = NULL;
php_stream *stream;
+ int close_stream = 1;
/* The third (quality) parameter for Wbmp stands for the threshold when called from image2wbmp().
* The third (quality) parameter for Wbmp and Xbm stands for the foreground color index when called
if (stream == NULL) {
RETURN_FALSE;
}
+ close_stream = 0;
} else if (Z_TYPE_P(to_zval) == IS_STRING) {
if (CHECK_ZVAL_NULL_PATH(to_zval)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
ctx = emalloc(sizeof(gdIOCtx));
ctx->putC = _php_image_stream_putc;
ctx->putBuf = _php_image_stream_putbuf;
- ctx->gd_free = _php_image_stream_ctxfree;
+ if (close_stream) {
+ ctx->gd_free = _php_image_stream_ctxfreeandclose;
+ } else {
+ ctx->gd_free = _php_image_stream_ctxfree;
+ }
ctx->data = (void *)stream;
}
--- /dev/null
+--TEST--
+Bug #73549 (Use after free when stream is passed to imagepng)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$stream = fopen(__DIR__ . DIRECTORY_SEPARATOR . 'bug73549.png', 'w');
+$im = imagecreatetruecolor(8, 8);
+var_dump(imagepng($im, $stream));
+var_dump($stream);
+?>
+===DONE===
+--EXPECTF--
+bool(true)
+resource(%d) of type (stream)
+===DONE===
+--CLEAN--
+<?php
+unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug73549.png');
+?>