diff options
Diffstat (limited to 'php-bug81739.patch')
| -rw-r--r-- | php-bug81739.patch | 70 |
1 files changed, 0 insertions, 70 deletions
diff --git a/php-bug81739.patch b/php-bug81739.patch deleted file mode 100644 index f76e8c0..0000000 --- a/php-bug81739.patch +++ /dev/null @@ -1,70 +0,0 @@ -From d50532be91f054ef9beb1afca2ea94f4a70f7c4d Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" <cmbecker69@gmx.de> -Date: Tue, 18 Oct 2022 12:13:16 +0200 -Subject: [PATCH] Fix #81739: OOB read due to insufficient validation in - imageloadfont() - -If we swap the byte order of the relevant header bytes, we need to make -sure again that the following multiplication does not overflow. ---- - ext/gd/gd.c | 7 +++++++ - ext/gd/tests/bug81739.phpt | 24 ++++++++++++++++++++++++ - 2 files changed, 31 insertions(+) - create mode 100644 ext/gd/tests/bug81739.phpt - -diff --git a/ext/gd/gd.c b/ext/gd/gd.c -index 336a73969267..fde93bba496f 100644 ---- a/ext/gd/gd.c -+++ b/ext/gd/gd.c -@@ -1485,6 +1485,12 @@ PHP_FUNCTION(imageloadfont) - font->w = FLIPWORD(font->w); - font->h = FLIPWORD(font->h); - font->nchars = FLIPWORD(font->nchars); -+ if (overflow2(font->nchars, font->h) || overflow2(font->nchars * font->h, font->w )) { -+ php_error_docref(NULL, E_WARNING, "Error reading font, invalid font header"); -+ efree(font); -+ php_stream_close(stream); -+ RETURN_FALSE; -+ } - body_size = font->w * font->h * font->nchars; - } - -@@ -1495,6 +1501,7 @@ PHP_FUNCTION(imageloadfont) - RETURN_FALSE; - } - -+ ZEND_ASSERT(body_size > 0); - font->data = emalloc(body_size); - b = 0; - while (b < body_size && (n = php_stream_read(stream, &font->data[b], body_size - b)) > 0) { -diff --git a/ext/gd/tests/bug81739.phpt b/ext/gd/tests/bug81739.phpt -new file mode 100644 -index 000000000000..cc2a90381bab ---- /dev/null -+++ b/ext/gd/tests/bug81739.phpt -@@ -0,0 +1,24 @@ -+--TEST-- -+Bug #81739 (OOB read due to insufficient validation in imageloadfont()) -+--SKIPIF-- -+<?php -+if (!extension_loaded("gd")) die("skip gd extension not available"); -+?> -+--FILE-- -+<?php -+$s = fopen(__DIR__ . "/font.font", "w"); -+// header without character data -+fwrite($s, "\x01\x00\x00\x00\x20\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00"); -+fclose($s); -+var_dump(imageloadfont(__DIR__ . "/font.font")); -+?> -+--CLEAN-- -+<?php -+@unlink(__DIR__ . "/font.font"); -+?> -+--EXPECTF-- -+Warning: imageloadfont(): %croduct of memory allocation multiplication would exceed INT_MAX, failing operation gracefully -+ in %s on line %d -+ -+Warning: imageloadfont(): Error reading font, invalid font header in %s on line %d -+bool(false) -\ No newline at end of file |