diff options
| author | Remi Collet <remi@remirepo.net> | 2022-10-26 12:12:29 +0200 |
|---|---|---|
| committer | Remi Collet <remi@php.net> | 2022-10-26 12:12:29 +0200 |
| commit | 8c834989bed43ad4ee8f82cc4704acfdb2adf774 (patch) | |
| tree | 9317bd8f378bab011c5efe5063af2b86dbe83b03 /php-bug81739.patch | |
| parent | 50cd071034ce4430352d4d9bdcd0fb2a5c666ef5 (diff) | |
add upstream fix for CVE-2022-31630 and CVE-2022-37454
Diffstat (limited to 'php-bug81739.patch')
| -rw-r--r-- | php-bug81739.patch | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/php-bug81739.patch b/php-bug81739.patch new file mode 100644 index 0000000..f76e8c0 --- /dev/null +++ b/php-bug81739.patch @@ -0,0 +1,70 @@ +From d50532be91f054ef9beb1afca2ea94f4a70f7c4d Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Tue, 18 Oct 2022 12:13:16 +0200 +Subject: [PATCH] Fix #81739: OOB read due to insufficient validation in + imageloadfont() + +If we swap the byte order of the relevant header bytes, we need to make +sure again that the following multiplication does not overflow. +--- + ext/gd/gd.c | 7 +++++++ + ext/gd/tests/bug81739.phpt | 24 ++++++++++++++++++++++++ + 2 files changed, 31 insertions(+) + create mode 100644 ext/gd/tests/bug81739.phpt + +diff --git a/ext/gd/gd.c b/ext/gd/gd.c +index 336a73969267..fde93bba496f 100644 +--- a/ext/gd/gd.c ++++ b/ext/gd/gd.c +@@ -1485,6 +1485,12 @@ PHP_FUNCTION(imageloadfont) + font->w = FLIPWORD(font->w); + font->h = FLIPWORD(font->h); + font->nchars = FLIPWORD(font->nchars); ++ if (overflow2(font->nchars, font->h) || overflow2(font->nchars * font->h, font->w )) { ++ php_error_docref(NULL, E_WARNING, "Error reading font, invalid font header"); ++ efree(font); ++ php_stream_close(stream); ++ RETURN_FALSE; ++ } + body_size = font->w * font->h * font->nchars; + } + +@@ -1495,6 +1501,7 @@ PHP_FUNCTION(imageloadfont) + RETURN_FALSE; + } + ++ ZEND_ASSERT(body_size > 0); + font->data = emalloc(body_size); + b = 0; + while (b < body_size && (n = php_stream_read(stream, &font->data[b], body_size - b)) > 0) { +diff --git a/ext/gd/tests/bug81739.phpt b/ext/gd/tests/bug81739.phpt +new file mode 100644 +index 000000000000..cc2a90381bab +--- /dev/null ++++ b/ext/gd/tests/bug81739.phpt +@@ -0,0 +1,24 @@ ++--TEST-- ++Bug #81739 (OOB read due to insufficient validation in imageloadfont()) ++--SKIPIF-- ++<?php ++if (!extension_loaded("gd")) die("skip gd extension not available"); ++?> ++--FILE-- ++<?php ++$s = fopen(__DIR__ . "/font.font", "w"); ++// header without character data ++fwrite($s, "\x01\x00\x00\x00\x20\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00"); ++fclose($s); ++var_dump(imageloadfont(__DIR__ . "/font.font")); ++?> ++--CLEAN-- ++<?php ++@unlink(__DIR__ . "/font.font"); ++?> ++--EXPECTF-- ++Warning: imageloadfont(): %croduct of memory allocation multiplication would exceed INT_MAX, failing operation gracefully ++ in %s on line %d ++ ++Warning: imageloadfont(): Error reading font, invalid font header in %s on line %d ++bool(false) +\ No newline at end of file |