From: Christoph M. Becker <cmbecker69@gmx.de>
Date: Thu, 13 Oct 2016 09:10:02 +0000 (+0200)
Subject: Fix #73280: Stack Buffer Overflow in GD dynamicGetbuf
X-Git-Tag: php-7.1.0RC4~26
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=086491555022b3b0ec59d26c6442a302171666ba;p=php

Fix #73280: Stack Buffer Overflow in GD dynamicGetbuf

We make sure to never pass a negative `rlen` as size to memcpy().

Cf. <https://github.com/libgd/libgd/commit/53110871>.

(cherry picked from commit cc08cbc84d46933c1e9e0149633f1ed5d19e45e9)
---

diff --git a/ext/gd/libgd/gd_io_dp.c b/ext/gd/libgd/gd_io_dp.c
index bfeb4cb4bb..4dcedde8cc 100644
--- a/ext/gd/libgd/gd_io_dp.c
+++ b/ext/gd/libgd/gd_io_dp.c
@@ -237,7 +237,7 @@ static int dynamicGetbuf (gdIOCtxPtr ctx, void *buf, int len)
 	if (remain >= len) {
 		rlen = len;
 	} else {
-		if (remain == 0) {
+		if (remain <= 0) {
 			return EOF;
 		}
 		rlen = remain;