From b15f0ecc0f34364fd7ce924b4164be4e8198ff93 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 18 Apr 2016 22:20:22 -0700 Subject: [PATCH] Fix for bug #71912 (libgd: signedness vulnerability) --- ext/gd/libgd/gd_gd2.c | 3 +++ ext/gd/tests/bug71912.phpt | 16 ++++++++++++++++ ext/gd/tests/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes 3 files changed, 19 insertions(+) create mode 100644 ext/gd/tests/bug71912.phpt create mode 100644 ext/gd/tests/invalid_neg_size.gd2 diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c index efc6ef47af..1794ca9e5a 100644 --- a/ext/gd/libgd/gd_gd2.c +++ b/ext/gd/libgd/gd_gd2.c @@ -150,6 +150,9 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in if (gdGetInt(&cidx[i].size, in) != 1) { goto fail1; } + if (cidx[i].offset < 0 || cidx[i].size < 0) { + goto fail1; + } } *chunkIdx = cidx; } diff --git a/ext/gd/tests/bug71912.phpt b/ext/gd/tests/bug71912.phpt new file mode 100644 index 0000000000..33b079d937 --- /dev/null +++ b/ext/gd/tests/bug71912.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #71912 (libgd: signedness vulnerability) +--SKIPIF-- + +--FILE-- + +OK +--EXPECTF-- + +Warning: imagecreatefromgd2(): '%s/invalid_neg_size.gd2' is not a valid GD2 file in %s/bug71912.php on line %d +OK \ No newline at end of file diff --git a/ext/gd/tests/invalid_neg_size.gd2 b/ext/gd/tests/invalid_neg_size.gd2 new file mode 100644 index 0000000000000000000000000000000000000000..3075f15a81a5ac0312f1548ef7733726c58c1f24 GIT binary patch literal 1676 zcmYdKF=Aj~VqgS92QbaVz`&x(z`&3Xq-XpG0w8-7jE2By2#o9ys9)=nrYtl!eO@Y0j(uP24Oy8cV*JZTi%$LjUn zHzKcM%atz4N1|6Bc&yqQwj{71^7_XwahG!Za#qgRp0&AK_7P)ivKtpiqy+Qht#SF* zMaQJhn^t_9qk56qrqA%Mh{#vZ%zd@pEzz2O-%mf&R%I8q zf?T2nbvg-FtoADt&xdhev;R0l>jm4q7qbJdANGtCPvX9R`uql)<-sap|IGrVrT6W5 zXnv=f!*bd}GjY+2hGIKyAG$nqUSL?uGc}?vV9J_*x4-T7>?=Ea+<1Qdhx_^N-fMX) OZWwA+Ogk&gc>@5dGaWbp literal 0 HcmV?d00001 -- 2.40.0