Fix bug #68601 buffer read overflow in gd_gif_in.c

diff --git a/NEWS b/NEWS
index 365615418dd1b58ae57779fccc75f4879019f56f..7596b002aa88334a77457a0eac32aa762c8d5b24 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2015 PHP 5.4.40
 
+- GD:
+  . Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (Remi)
+
 - SOAP:
   . Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize()
     with SoapFault). (Dmitry)

diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
index ee88a2fc8e102720526f9b37ec17c46f4a383484..491e9422db0c9baf9b021958451e8cb0aab4b807 100644 (file)
--- a/ext/gd/libgd/gd_gif_in.c
+++ b/ext/gd/libgd/gd_gif_in.c
@@ -72,8 +72,10 @@ static struct {
 
 #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
 
+#define CSD_BUF_SIZE 280
+
 typedef struct {
-       unsigned char    buf[280];
+       unsigned char    buf[CSD_BUF_SIZE];
        int              curbit, lastbit, done, last_byte;
 } CODE_STATIC_DATA;
 
@@ -400,7 +402,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD
 
        ret = 0;
        for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)
-               ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j;
+               if (i < CSD_BUF_SIZE * 8) {
+                       ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
+               } else {
+                       ret = -1;
+                       break;
+               }
 
        scd->curbit += code_size;
        return ret;