Fix for bug #71912 (libgd: signedness vulnerability)

diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index efc6ef47af598304e14dd1b54b0b4d615f85655a..1794ca9e5a87a8db2b3f63b7970a6c730df10177 100644 (file)
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -150,6 +150,9 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
                        if (gdGetInt(&cidx[i].size, in) != 1) {
                                goto fail1;
                        }
+                       if (cidx[i].offset < 0 || cidx[i].size < 0) {
+                               goto fail1;
+                       }
                }
                *chunkIdx = cidx;
        }

diff --git a/ext/gd/tests/bug71912.phpt b/ext/gd/tests/bug71912.phpt
new file mode 100644 (file)
index 0000000..33b079d
--- /dev/null
+++ b/ext/gd/tests/bug71912.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #71912 (libgd: signedness vulnerability)
+--SKIPIF--
+<?php
+        if(!extension_loaded('gd')){ die('skip gd extension not available'); }
+        if(!function_exists('imagecreatefromgd2')) die('skip imagecreatefromgd2() not available');
+?>
+--FILE--
+<?php
+imagecreatefromgd2(__DIR__."/invalid_neg_size.gd2");
+?>
+OK
+--EXPECTF--
+
+Warning: imagecreatefromgd2(): '%s/invalid_neg_size.gd2' is not a valid GD2 file in %s/bug71912.php on line %d
+OK
\ No newline at end of file

diff --git a/ext/gd/tests/invalid_neg_size.gd2 b/ext/gd/tests/invalid_neg_size.gd2
new file mode 100644 (file)
index 0000000..3075f15
Binary files /dev/null and b/ext/gd/tests/invalid_neg_size.gd2 differ