fix possible array underflow

there are multiple issues with this code

- php_stream_read() returns an unsigned val, so is >= 0
- if it read less than sizeof(a) bytes, the function operates on garbage
- result->channels is an unsigned val, so >= 0

diff --git a/ext/standard/image.c b/ext/standard/image.c
index 02246c6268626ef5dcbe24e3318c877aa3149bf2..f1910d219196eff99d98006af8337bac17d61757 100644 (file)
--- a/ext/standard/image.c
+++ b/ext/standard/image.c
@@ -365,8 +365,8 @@ static unsigned short php_read2(php_stream * stream TSRMLS_DC)
 {
        unsigned char a[2];
 
-       /* just return 0 if we hit the end-of-file */
-       if((php_stream_read(stream, a, sizeof(a))) <= 0) return 0;
+       /* return 0 if we couldn't read enough data */
+       if((php_stream_read(stream, a, sizeof(a))) < sizeof(a)) return 0;
 
        return (((unsigned short)a[0]) << 8) + ((unsigned short)a[1]);
 }
@@ -646,7 +646,7 @@ static struct gfxinfo *php_handle_jpc(php_stream * stream TSRMLS_DC)
 #endif
 
        result->channels = php_read2(stream TSRMLS_CC); /* Csiz */
-       if (result->channels < 0 || result->channels > 256) {
+       if (result->channels == 0 && php_stream_eof(stream) || result->channels > 256) {
                efree(result);
                return NULL;
        }