From: Pierre Joye Date: Wed, 16 May 2007 22:16:22 +0000 (+0000) Subject: - libgd #86: Fixed possible infinite loop in libgd/gd_png.c X-Git-Tag: RELEASE_1_2_0~17 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=69dca143c9eb11a022919e65c5b449fe2ff24530;p=php - libgd #86: Fixed possible infinite loop in libgd/gd_png.c (Reported by Xavier Roche) --- diff --git a/ext/gd/libgd/gd_png.c b/ext/gd/libgd/gd_png.c index 0f6436f120..a002a95212 100644 --- a/ext/gd/libgd/gd_png.c +++ b/ext/gd/libgd/gd_png.c @@ -71,7 +71,11 @@ static void gdPngErrorHandler (png_structp png_ptr, png_const_charp msg) static void gdPngReadData (png_structp png_ptr, png_bytep data, png_size_t length) { - gdGetBuf(data, length, (gdIOCtx *) png_get_io_ptr(png_ptr)); + int check; + check = gdGetBuf(data, length, (gdIOCtx *) png_get_io_ptr(png_ptr)); + if (check != length) { + png_error(png_ptr, "Read Error: truncated data"); + } } static void gdPngWriteData (png_structp png_ptr, png_bytep data, png_size_t length) diff --git a/ext/gd/tests/libgd00086.phpt b/ext/gd/tests/libgd00086.phpt new file mode 100644 index 0000000000..68f589a5bd --- /dev/null +++ b/ext/gd/tests/libgd00086.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug #39780 (PNG image with CRC/data error raises a fatal error) +--SKIPIF-- + +--FILE-- + +--EXPECTF-- + +Warning: imagecreatefrompng(): gd-png: fatal libpng error: Read Error: truncated data in %s on line %d + +Warning: imagecreatefrompng(): gd-png error: setjmp returns error condition in %s on line %d + +Warning: imagecreatefrompng(): '%s' is not a valid PNG file in %s on line %d +bool(false) diff --git a/ext/gd/tests/libgd00086.png b/ext/gd/tests/libgd00086.png new file mode 100644 index 0000000000..0e7c8dda0a Binary files /dev/null and b/ext/gd/tests/libgd00086.png differ