From 42bb2c9221ab019a8d42a11644eceaf7b05d39d9 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 27 Apr 2016 09:04:26 +0200 Subject: php 5.4 add security patches, backported from 5.5.35 --- bug71912.patch | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 bug71912.patch (limited to 'bug71912.patch') diff --git a/bug71912.patch b/bug71912.patch new file mode 100644 index 0000000..9e2247b --- /dev/null +++ b/bug71912.patch @@ -0,0 +1,60 @@ +Backported for 5.4 from 5.5.35 by Remi Collet +Binary diff removed + +From b15f0ecc0f34364fd7ce924b4164be4e8198ff93 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 18 Apr 2016 22:20:22 -0700 +Subject: [PATCH] Fix for bug #71912 (libgd: signedness vulnerability) + +--- + ext/gd/libgd/gd_gd2.c | 3 +++ + ext/gd/tests/bug71912.phpt | 16 ++++++++++++++++ + ext/gd/tests/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes + 3 files changed, 19 insertions(+) + create mode 100644 ext/gd/tests/bug71912.phpt + create mode 100644 ext/gd/tests/invalid_neg_size.gd2 + +diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c +index efc6ef4..1794ca9 100644 +--- a/ext/gd/libgd/gd_gd2.c ++++ b/ext/gd/libgd/gd_gd2.c +@@ -150,6 +150,9 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in + if (gdGetInt(&cidx[i].size, in) != 1) { + goto fail1; + } ++ if (cidx[i].offset < 0 || cidx[i].size < 0) { ++ goto fail1; ++ } + } + *chunkIdx = cidx; + } + +From 61c7a06e7c19d9b408db1129efa0959a0acbf0b1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 26 Apr 2016 22:54:58 -0700 +Subject: [PATCH] Fix memory leak + +--- + ext/gd/libgd/gd_gd2.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c +index 1794ca9..6726fee 100644 +--- a/ext/gd/libgd/gd_gd2.c ++++ b/ext/gd/libgd/gd_gd2.c +@@ -145,12 +145,15 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in + cidx = gdCalloc(sidx, 1); + for (i = 0; i < nc; i++) { + if (gdGetInt(&cidx[i].offset, in) != 1) { ++ gdFree(cidx); + goto fail1; + } + if (gdGetInt(&cidx[i].size, in) != 1) { ++ gdFree(cidx); + goto fail1; + } + if (cidx[i].offset < 0 || cidx[i].size < 0) { ++ gdFree(cidx); + goto fail1; + } + } -- cgit