From: Mattias Bengtsson <mattias@php.net>
Date: Thu, 9 Aug 2007 12:08:29 +0000 (+0000)
Subject: - libgd #94, imagecreatefromxbm can crash if gdImageCreate fails
X-Git-Tag: php-5.2.4RC2~55
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=436a7a9767748a95292a72a758c0a6e2c86206e5;p=php

- libgd #94, imagecreatefromxbm can crash if gdImageCreate fails
---

diff --git a/ext/gd/libgd/xbm.c b/ext/gd/libgd/xbm.c
index 7a0ca8c40c..53a0d63679 100644
--- a/ext/gd/libgd/xbm.c
+++ b/ext/gd/libgd/xbm.c
@@ -96,7 +96,9 @@ gdImagePtr gdImageCreateFromXbm(FILE * fd)
 		return 0;
 	}
 
-	im = gdImageCreate(width, height);
+	if(!(im = gdImageCreate(width, height))) {
+		return 0;
+	}
 	gdImageColorAllocate(im, 255, 255, 255);
 	gdImageColorAllocate(im, 0, 0, 0);
 	h[2] = '\0';
diff --git a/ext/gd/tests/libgd00094.phpt b/ext/gd/tests/libgd00094.phpt
new file mode 100644
index 0000000000..d1d68eab04
--- /dev/null
+++ b/ext/gd/tests/libgd00094.phpt
@@ -0,0 +1,19 @@
+--TEST--
+libgd #94 (imagecreatefromxbm can crash if gdImageCreate fails)
+--SKIPIF--
+<?php
+	if (!extension_loaded('gd')) die("skip gd extension not available\n");
+	if (!GD_BUNDLED) die("skip requires bundled GD library\n");
+?>
+--FILE--
+<?php
+$im = imagecreatefromxbm(dirname(__FILE__) . '/libgd00094.xbm');
+var_dump($im);
+?>
+--EXPECTF--
+Warning: imagecreatefromxbm(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+ in %slibgd00094.php on line %d
+
+Warning: imagecreatefromxbm(): '%slibgd00094.xbm' is not a valid XBM file in %slibgd00094.php on line %d
+bool(false)
+
diff --git a/ext/gd/tests/libgd00094.xbm b/ext/gd/tests/libgd00094.xbm
new file mode 100644
index 0000000000..4d0f5bdd87
--- /dev/null
+++ b/ext/gd/tests/libgd00094.xbm
@@ -0,0 +1,3 @@
+#define width 255
+#define height 1073741824
+static unsigned char bla = {