summaryrefslogtreecommitdiffstats
path: root/bug73869.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2018-03-01 09:50:30 +0100
committerRemi Collet <remi@remirepo.net>2018-03-01 09:50:30 +0100
commit03cb94d7835b8548cd35966c0cf3e10e48808f87 (patch)
tree9dd556b7b0c66754ad6ea46395c10c997b1a91f5 /bug73869.patch
parentb9459ddfb28b45ec827d5d0e2e83ec7def175233 (diff)
fix #73549: Use after free when stream is passed to imagepng
fix #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx() CVE-2016-10167 fix #73869: Signed Integer Overflow gd_io.c CVE-2016-10168 fix #74435: Buffer over-read into uninitialized memory CVE-2017-7890 fix #75571: Potential infinite loop in gdImageCreateFromGifCtx CVE-2018-5711 fix #75981: stack-buffer-overflow while parsing HTTP response
Diffstat (limited to 'bug73869.patch')
-rw-r--r--bug73869.patch45
1 files changed, 45 insertions, 0 deletions
diff --git a/bug73869.patch b/bug73869.patch
new file mode 100644
index 0000000..6e5b08e
--- /dev/null
+++ b/bug73869.patch
@@ -0,0 +1,45 @@
+Fix for CVE-2017-10168
+Backported for 5.4 without test and binary patch
+
+
+From d2274b01cbbadf5516b3ea87ad76fbae18834007 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Sat, 17 Dec 2016 17:06:58 +0100
+Subject: [PATCH] Fix #73869: Signed Integer Overflow gd_io.c
+
+GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
+byte unsigned). These values are multiplied and assigned to an int when
+reading the image, what can cause integer overflows. We have to avoid
+that, and also make sure that either chunk count is actually greater
+than zero. If illegal chunk counts are detected, we bail out from
+reading the image.
+
+(cherry picked from commit 5b5d9db3988b829e0b121b74bb3947f01c2796a1)
+---
+ ext/gd/libgd/gd_gd2.c | 4 ++++
+ ext/gd/tests/bug73869.phpt | 19 +++++++++++++++++++
+ ext/gd/tests/bug73869a.gd2 | Bin 0 -> 92 bytes
+ ext/gd/tests/bug73869b.gd2 | Bin 0 -> 18 bytes
+ 4 files changed, 23 insertions(+)
+ create mode 100644 ext/gd/tests/bug73869.phpt
+ create mode 100644 ext/gd/tests/bug73869a.gd2
+ create mode 100644 ext/gd/tests/bug73869b.gd2
+
+diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
+index 196b785..3eba6b3 100644
+--- a/ext/gd/libgd/gd_gd2.c
++++ b/ext/gd/libgd/gd_gd2.c
+@@ -136,6 +136,10 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
+ GD2_DBG(php_gd_error("%d Chunks vertically", *ncy));
+
+ if (gd2_compressed(*fmt)) {
++ if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
++ GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
++ goto fail1;
++ }
+ nc = (*ncx) * (*ncy);
+ GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
+ if (overflow2(sizeof(t_chunk_info), nc)) {
+--
+2.1.4
+