1 files changed, 45 insertions, 0 deletions

diff --git a/bug73869.patch b/bug73869.patch
new file mode 100644
index 0000000..6e5b08e
--- /dev/null
+++ b/bug73869.patch
@@ -0,0 +1,45 @@
+Fix for CVE-2017-10168
+Backported for 5.4 without test and binary patch
+
+
+From d2274b01cbbadf5516b3ea87ad76fbae18834007 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Sat, 17 Dec 2016 17:06:58 +0100
+Subject: [PATCH] Fix #73869: Signed Integer Overflow gd_io.c
+
+GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
+byte unsigned). These values are multiplied and assigned to an int when
+reading the image, what can cause integer overflows. We have to avoid
+that, and also make sure that either chunk count is actually greater
+than zero. If illegal chunk counts are detected, we bail out from
+reading the image.
+
+(cherry picked from commit 5b5d9db3988b829e0b121b74bb3947f01c2796a1)
+---
+ ext/gd/libgd/gd_gd2.c      |   4 ++++
+ ext/gd/tests/bug73869.phpt |  19 +++++++++++++++++++
+ ext/gd/tests/bug73869a.gd2 | Bin 0 -> 92 bytes
+ ext/gd/tests/bug73869b.gd2 | Bin 0 -> 18 bytes
+ 4 files changed, 23 insertions(+)
+ create mode 100644 ext/gd/tests/bug73869.phpt
+ create mode 100644 ext/gd/tests/bug73869a.gd2
+ create mode 100644 ext/gd/tests/bug73869b.gd2
+
+diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
+index 196b785..3eba6b3 100644
+--- a/ext/gd/libgd/gd_gd2.c
++++ b/ext/gd/libgd/gd_gd2.c
+@@ -136,6 +136,10 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
+ 	GD2_DBG(php_gd_error("%d Chunks vertically", *ncy));
+ 
+ 	if (gd2_compressed(*fmt)) {
++		if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
++			GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
++			goto fail1;
++		}
+ 		nc = (*ncx) * (*ncy);
+ 		GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
+ 		if (overflow2(sizeof(t_chunk_info), nc)) {
+-- 
+2.1.4
+