From: Christoph M. Becker Date: Tue, 16 Aug 2016 16:23:36 +0000 (+0200) Subject: Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx() X-Git-Tag: php-5.6.30~1^2~1 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f1b2afc9d9e77edf41804f5dfc4e2069d8a12975;p=php Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx() We must not pretend that there are image data if there are none. Instead we fail reading the image file gracefully. (cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab) --- diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c index d06f328425..196b7858dc 100644 --- a/ext/gd/libgd/gd_gd2.c +++ b/ext/gd/libgd/gd_gd2.c @@ -340,12 +340,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in) for (x = xlo; x < xhi; x++) { if (im->trueColor) { if (!gdGetInt(&im->tpixels[y][x], in)) { - im->tpixels[y][x] = 0; + php_gd_error("gd2: EOF while reading\n"); + gdImageDestroy(im); + return NULL; } } else { int ch; if (!gdGetByte(&ch, in)) { - ch = 0; + php_gd_error("gd2: EOF while reading\n"); + gdImageDestroy(im); + return NULL; } im->pixels[y][x] = ch; } diff --git a/ext/gd/tests/bug73868.gd2 b/ext/gd/tests/bug73868.gd2 new file mode 100644 index 0000000000..1c797d1acf Binary files /dev/null and b/ext/gd/tests/bug73868.gd2 differ diff --git a/ext/gd/tests/bug73868.phpt b/ext/gd/tests/bug73868.phpt new file mode 100644 index 0000000000..135be7917b --- /dev/null +++ b/ext/gd/tests/bug73868.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug 73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()) +--SKIPIF-- + +--FILE-- + +===DONE=== +--EXPECTF-- +Warning: imagecreatefromgd2(): gd2: EOF while reading + in %s on line %d + +Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d +bool(false) +===DONE===