diff options
author | Remi Collet <remi@remirepo.net> | 2018-03-01 10:08:47 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2018-03-01 10:08:47 +0100 |
commit | 6a75ec7b86fc3f19b758a0e6525e9df7eb87a9f9 (patch) | |
tree | 3063e2862ede5cb869233359d021731e3b156e90 /bug73868.patch | |
parent | f6bab89b5b2345cac08d761e2fd93f7d18da8aea (diff) |
fix #73549: Use after free when stream is passed to imagepng
fix #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx() CVE-2016-10167
fix #73869: Signed Integer Overflow gd_io.c CVE-2016-10168
fix #74435: Buffer over-read into uninitialized memory CVE-2017-7890
fix #75571: Potential infinite loop in gdImageCreateFromGifCtx CVE-2018-5711
fix #75981: stack-buffer-overflow while parsing HTTP response
Diffstat (limited to 'bug73868.patch')
-rw-r--r-- | bug73868.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/bug73868.patch b/bug73868.patch new file mode 100644 index 0000000..6df0a22 --- /dev/null +++ b/bug73868.patch @@ -0,0 +1,47 @@ +Fix for CVE-2017-10168 +Backported for 5.4 without test and binary patch + + +From f1b2afc9d9e77edf41804f5dfc4e2069d8a12975 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Tue, 16 Aug 2016 18:23:36 +0200 +Subject: [PATCH] Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx() + +We must not pretend that there are image data if there are none. Instead +we fail reading the image file gracefully. + +(cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab) +--- + ext/gd/libgd/gd_gd2.c | 8 ++++++-- + ext/gd/tests/bug73868.gd2 | Bin 0 -> 1050 bytes + ext/gd/tests/bug73868.phpt | 18 ++++++++++++++++++ + 3 files changed, 24 insertions(+), 2 deletions(-) + create mode 100644 ext/gd/tests/bug73868.gd2 + create mode 100644 ext/gd/tests/bug73868.phpt + +diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c +index d06f328..196b785 100644 +--- a/ext/gd/libgd/gd_gd2.c ++++ b/ext/gd/libgd/gd_gd2.c +@@ -334,12 +334,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in) + for (x = xlo; x < xhi; x++) { + if (im->trueColor) { + if (!gdGetInt(&im->tpixels[y][x], in)) { +- im->tpixels[y][x] = 0; ++ php_gd_error("gd2: EOF while reading\n"); ++ gdImageDestroy(im); ++ return NULL; + } + } else { + int ch; + if (!gdGetByte(&ch, in)) { +- ch = 0; ++ php_gd_error("gd2: EOF while reading\n"); ++ gdImageDestroy(im); ++ return NULL; + } + im->pixels[y][x] = ch; + } +-- +2.1.4 + |