- libgd #86: Fixed possible infinite loop in libgd/gd_png.c

  (Reported by Xavier Roche)

diff --git a/ext/gd/libgd/gd_png.c b/ext/gd/libgd/gd_png.c
index 0f6436f1204f012c0690360500eb34d7128eef46..a002a9521288f05ced38307e67e3b73b81f27293 100644 (file)
--- a/ext/gd/libgd/gd_png.c
+++ b/ext/gd/libgd/gd_png.c
@@ -71,7 +71,11 @@ static void gdPngErrorHandler (png_structp png_ptr, png_const_charp msg)
 
 static void gdPngReadData (png_structp png_ptr, png_bytep data, png_size_t length)
 {
-       gdGetBuf(data, length, (gdIOCtx *) png_get_io_ptr(png_ptr));
+       int check;
+       check = gdGetBuf(data, length, (gdIOCtx *) png_get_io_ptr(png_ptr));
+       if (check != length) {
+               png_error(png_ptr, "Read Error: truncated data");
+       }
 }
 
 static void gdPngWriteData (png_structp png_ptr, png_bytep data, png_size_t length)

diff --git a/ext/gd/tests/libgd00086.phpt b/ext/gd/tests/libgd00086.phpt
new file mode 100644 (file)
index 0000000..68f589a
--- /dev/null
+++ b/ext/gd/tests/libgd00086.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #39780 (PNG image with CRC/data error raises a fatal error)
+--SKIPIF--
+<?php 
+       if (!extension_loaded('gd')) die("skip gd extension not available\n"); 
+       if (!GD_BUNDLED) die('skip external GD libraries always fail');
+?>
+--FILE--
+<?php
+
+$im = imagecreatefrompng(dirname(__FILE__) . '/libgd00086.png');
+var_dump($im);
+?>
+--EXPECTF--
+
+Warning: imagecreatefrompng(): gd-png:  fatal libpng error: Read Error: truncated data in %s on line %d
+
+Warning: imagecreatefrompng(): gd-png error: setjmp returns error condition in %s on line %d
+
+Warning: imagecreatefrompng(): '%s' is not a valid PNG file in %s on line %d
+bool(false)

diff --git a/ext/gd/tests/libgd00086.png b/ext/gd/tests/libgd00086.png
new file mode 100644 (file)
index 0000000..0e7c8dd
Binary files /dev/null and b/ext/gd/tests/libgd00086.png differ