From 8c834989bed43ad4ee8f82cc4704acfdb2adf774 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 26 Oct 2022 12:12:29 +0200 Subject: add upstream fix for CVE-2022-31630 and CVE-2022-37454 --- php-bug81739.patch | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 php-bug81739.patch (limited to 'php-bug81739.patch') diff --git a/php-bug81739.patch b/php-bug81739.patch new file mode 100644 index 0000000..f76e8c0 --- /dev/null +++ b/php-bug81739.patch @@ -0,0 +1,70 @@ +From d50532be91f054ef9beb1afca2ea94f4a70f7c4d Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Tue, 18 Oct 2022 12:13:16 +0200 +Subject: [PATCH] Fix #81739: OOB read due to insufficient validation in + imageloadfont() + +If we swap the byte order of the relevant header bytes, we need to make +sure again that the following multiplication does not overflow. +--- + ext/gd/gd.c | 7 +++++++ + ext/gd/tests/bug81739.phpt | 24 ++++++++++++++++++++++++ + 2 files changed, 31 insertions(+) + create mode 100644 ext/gd/tests/bug81739.phpt + +diff --git a/ext/gd/gd.c b/ext/gd/gd.c +index 336a73969267..fde93bba496f 100644 +--- a/ext/gd/gd.c ++++ b/ext/gd/gd.c +@@ -1485,6 +1485,12 @@ PHP_FUNCTION(imageloadfont) + font->w = FLIPWORD(font->w); + font->h = FLIPWORD(font->h); + font->nchars = FLIPWORD(font->nchars); ++ if (overflow2(font->nchars, font->h) || overflow2(font->nchars * font->h, font->w )) { ++ php_error_docref(NULL, E_WARNING, "Error reading font, invalid font header"); ++ efree(font); ++ php_stream_close(stream); ++ RETURN_FALSE; ++ } + body_size = font->w * font->h * font->nchars; + } + +@@ -1495,6 +1501,7 @@ PHP_FUNCTION(imageloadfont) + RETURN_FALSE; + } + ++ ZEND_ASSERT(body_size > 0); + font->data = emalloc(body_size); + b = 0; + while (b < body_size && (n = php_stream_read(stream, &font->data[b], body_size - b)) > 0) { +diff --git a/ext/gd/tests/bug81739.phpt b/ext/gd/tests/bug81739.phpt +new file mode 100644 +index 000000000000..cc2a90381bab +--- /dev/null ++++ b/ext/gd/tests/bug81739.phpt +@@ -0,0 +1,24 @@ ++--TEST-- ++Bug #81739 (OOB read due to insufficient validation in imageloadfont()) ++--SKIPIF-- ++ ++--FILE-- ++ ++--CLEAN-- ++ ++--EXPECTF-- ++Warning: imageloadfont(): %croduct of memory allocation multiplication would exceed INT_MAX, failing operation gracefully ++ in %s on line %d ++ ++Warning: imageloadfont(): Error reading font, invalid font header in %s on line %d ++bool(false) +\ No newline at end of file -- cgit