Fix #73280: Stack Buffer Overflow in GD dynamicGetbuf

author Christoph M. Becker <cmbecker69@gmx.de>

Thu, 13 Oct 2016 09:10:02 +0000 (11:10 +0200)

committer Christoph M. Becker <cmbecker69@gmx.de>

Thu, 13 Oct 2016 09:10:02 +0000 (11:10 +0200)
author Christoph M. Becker <cmbecker69@gmx.de>
Thu, 13 Oct 2016 09:10:02 +0000 (11:10 +0200)
committer Christoph M. Becker <cmbecker69@gmx.de>
Thu, 13 Oct 2016 09:10:02 +0000 (11:10 +0200)
diff --git a/NEWS b/NEWS

index d9e6b4c1d356034aa679233b04feec4daadd166d..415050456f7621d4664f3c31e3a21dcde176a6fd 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,7 @@ PHP                                                                        NEWS
    . Fixed bug #73272 (imagescale() is not affected by, but affects
      imagesetinterpolation()). (cmb)
    . Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()). (cmb)
+  . Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf). (cmb)
  
  - SOAP:
    . Fixed bug #73037 (SoapServer reports Bad Request when gzipped). (Anatol)
diff --git a/ext/gd/libgd/gd_io_dp.c b/ext/gd/libgd/gd_io_dp.c

index bfeb4cb4bb9aa59bbab842df5294fb05849822b6..4dcedde8ccbc4afa7825d0abdffe4ab948bebe1a 100644 (file)
--- a/ext/gd/libgd/gd_io_dp.c
+++ b/ext/gd/libgd/gd_io_dp.c
@@ -237,7 +237,7 @@ static int dynamicGetbuf (gdIOCtxPtr ctx, void *buf, int len)
         if (remain >= len) {
                 rlen = len;
         } else {
-               if (remain == 0) {
+               if (remain <= 0) {
                         return EOF;
                 }
                 rlen = remain;
author	Christoph M. Becker <cmbecker69@gmx.de>
	Thu, 13 Oct 2016 09:10:02 +0000 (11:10 +0200)
committer	Christoph M. Becker <cmbecker69@gmx.de>
	Thu, 13 Oct 2016 09:10:02 +0000 (11:10 +0200)
NEWS		patch \| blob \| history
ext/gd/libgd/gd_io_dp.c		patch \| blob \| history