Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx()

We must not pretend that there are image data if there are none. Instead
we fail reading the image file gracefully.

(cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab)

diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index d06f328425e8188f13b7720b93f0181ecda1893a..196b7858dc4c0297cff4eecabbbdb542bc15e377 100644 (file)
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -340,12 +340,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
                                        for (x = xlo; x < xhi; x++) {
                                                if (im->trueColor) {
                                                        if (!gdGetInt(&im->tpixels[y][x], in)) {
-                                                               im->tpixels[y][x] = 0;
+                                                               php_gd_error("gd2: EOF while reading\n");
+                                                               gdImageDestroy(im);
+                                                               return NULL;
                                                        }
                                                } else {
                                                        int ch;
                                                        if (!gdGetByte(&ch, in)) {
-                                                               ch = 0;
+                                                               php_gd_error("gd2: EOF while reading\n");
+                                                               gdImageDestroy(im);
+                                                               return NULL;
                                                        }
                                                        im->pixels[y][x] = ch;
                                                }

diff --git a/ext/gd/tests/bug73868.gd2 b/ext/gd/tests/bug73868.gd2
new file mode 100644 (file)
index 0000000..1c797d1
Binary files /dev/null and b/ext/gd/tests/bug73868.gd2 differ

diff --git a/ext/gd/tests/bug73868.phpt b/ext/gd/tests/bug73868.phpt
new file mode 100644 (file)
index 0000000..135be79
--- /dev/null
+++ b/ext/gd/tests/bug73868.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug 73868 (DOS vulnerability in gdImageCreateFromGd2Ctx())
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73868.gd2'));
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromgd2(): gd2: EOF while reading
+ in %s on line %d
+
+Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
+bool(false)
+===DONE===