From: Pierre Joye <pajoye@php.net>
Date: Thu, 17 Jul 2008 23:28:11 +0000 (+0000)
Subject: - MFB: fix crash when some crafted font are given
X-Git-Tag: BEFORE_HEAD_NS_CHANGE~1218
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a883ec0aca510f11bc5e7d855f5e5c4998319866;p=php

- MFB: fix crash when some crafted font are given
---

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index f07279ddc0..67b760f599 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1483,6 +1483,19 @@ PHP_FUNCTION(imageloadfont)
 		body_size = font->w * font->h * font->nchars;
 	}
 
+	if (overflow2(font->nchars, font->h)) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
+		efree(font);
+		php_stream_close(stream);
+		RETURN_FALSE;
+	}
+	if (overflow2(font->nchars * font->h, font->w )) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
+		efree(font);
+		php_stream_close(stream);
+		RETURN_FALSE;
+	}
+
 	if (body_size != body_size_check) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font");
 		efree(font);
diff --git a/ext/gd/tests/imageloadfont_invalid.phpt b/ext/gd/tests/imageloadfont_invalid.phpt
new file mode 100644
index 0000000000..b297ac73e2
--- /dev/null
+++ b/ext/gd/tests/imageloadfont_invalid.phpt
@@ -0,0 +1,25 @@
+--TEST--
+imageloadfont() function crashes
+--SKIPIF--
+<?php 
+	if (!extension_loaded('gd')) die("skip gd extension not available\n"); 
+	if (!GD_BUNDLED) die('skip external GD libraries always fail');
+?>
+--FILE--
+<?php
+$filename = dirname(__FILE__) .  '/font.gdf';
+$bin = "\x41\x41\x41\x41\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00";
+$fp = fopen($filename, 'wb');
+fwrite($fp, $bin);
+fclose($fp);
+
+$image = imagecreatetruecolor(50, 20);
+$font = imageloadfont($filename);
+$black = imagecolorallocate($image, 0, 0, 0);
+imagestring($image, $font, 0, 0, "Hello", $black);
+?>
+--EXPECTF--
+Warning: imageloadfont(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+ in %simageloadfont_invalid.php on line %d
+
+Warning: imageloadfont(): Error reading font, invalid font header in %simageloadfont_invalid.php on line %d