From: Pierre Joye <pajoye@php.net>
Date: Mon, 17 Jul 2006 15:19:16 +0000 (+0000)
Subject: - MFH #38112, bad code size segfault
X-Git-Tag: php-4.4.4RC1~25
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=507e1fd5a2061deec1f718cf813dcdfc99e19ad0;p=php

- MFH #38112, bad code size segfault
---

diff --git a/NEWS b/NEWS
index 808c5a5ecd..03ee4e7282 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ PHP 4                                                                      NEWS
 - Improved safe_mode check for the error_log() function. (Ilia)
 - Fixed handling of extremely long paths inside tempnam() function. (Ilia)
 - Fixed XSS inside phpinfo() with long inputs. (Ilia)
+- Fixed bug #38112 (corrupted gif segfaults) (Pierre)
 - Fixed bug #37720 (merge_php_config scrambles values). (Mike,
   pumuckel at metropolis dot de)
 - Fixed bug #37569 (WDDX incorrectly encodes high-ascii characters). (Ilia)
diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
index 092c89a5d8..8a937e1321 100644
--- a/ext/gd/libgd/gd_gif_in.c
+++ b/ext/gd/libgd/gd_gif_in.c
@@ -216,6 +216,12 @@ terminated:
        if (!im) {
 		return 0;
        }
+
+		if (!im->colorsTotal) {
+			gdImageDestroy(im);
+			return 0;
+		}
+
        /* Check for open colors at the end, so
           we can reduce colorsTotal and ultimately
           BitsPerPixel */
@@ -506,6 +512,19 @@ ReadImage(gdImagePtr im, gdIOCtx *fd, int len, int height, unsigned char (*cmap)
        int             v;
        int             xpos = 0, ypos = 0, pass = 0;
        int i;
+
+	   /*
+		**  Initialize the Compression routines
+		*/
+	   if (! ReadOK(fd,&c,1)) {
+		   return;
+	   }
+
+	   if (c > MAX_LWZ_BITS) {
+		   return;	
+	   }
+
+
        /* Stash the color map into the image */
        for (i=0; (i<gdMaxColors); i++) {
                im->red[i] = cmap[CM_RED][i];	
@@ -515,12 +534,7 @@ ReadImage(gdImagePtr im, gdIOCtx *fd, int len, int height, unsigned char (*cmap)
        }
        /* Many (perhaps most) of these colors will remain marked open. */
        im->colorsTotal = gdMaxColors;
-       /*
-       **  Initialize the Compression routines
-       */
-       if (! ReadOK(fd,&c,1)) {
-               return; 
-       }
+
        if (LWZReadByte(fd, TRUE, c) < 0) {
                return;
        }
diff --git a/ext/gd/tests/bug38112.gif b/ext/gd/tests/bug38112.gif
new file mode 100644
index 0000000000..178d27e357
Binary files /dev/null and b/ext/gd/tests/bug38112.gif differ
diff --git a/ext/gd/tests/bug38112.phpt b/ext/gd/tests/bug38112.phpt
new file mode 100644
index 0000000000..2a7cd4bd33
--- /dev/null
+++ b/ext/gd/tests/bug38112.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #38112 (GIF Invalid Code size ).
+--SKIPIF--
+<?php 
+	if (!extension_loaded('gd')) {	
+		die("skip gd extension not available\n");
+	}
+	if (!GD_BUNDLED) {
+		die('skip external GD libraries may fail');
+	}
+?>
+--FILE--
+<?php
+$im = imagecreatefromgif(dirname(__FILE__) . '/bug38112.gif');
+?>
+--EXPECTF--
+Warning: imagecreatefromgif() [%s]: '%sbug38112.gif' is not a valid GIF file in %sbug38112.php on line %d