summaryrefslogtreecommitdiffstats
path: root/bug72339.patch
blob: da385e836187f9e936751410f3104660108fa835 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
Backported from 5.5.37 for 5.4 by Remi Collet


From 7722455726bec8c53458a32851d2a87982cf0eac Mon Sep 17 00:00:00 2001
From: Pierre Joye <pajoye@php.net>
Date: Sat, 18 Jun 2016 20:15:10 +0200
Subject: [PATCH] Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in
 heap overflow

---
 ext/gd/libgd/gd_gd2.c      |   7 +++++++
 ext/gd/tests/bug72339.gd   | Bin 0 -> 67108882 bytes
 ext/gd/tests/bug72339.phpt |  11 +++++++++++
 3 files changed, 18 insertions(+)
 create mode 100644 ext/gd/tests/bug72339.gd
 create mode 100644 ext/gd/tests/bug72339.phpt

diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index 6726fee..63e3aef 100644
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -138,11 +138,18 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
 	if (gd2_compressed(*fmt)) {
 		nc = (*ncx) * (*ncy);
 		GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
+		if (overflow2(sidx, nc)) {
+			goto fail1;
+		}
 		sidx = sizeof(t_chunk_info) * nc;
 		if (sidx <= 0) {
 			goto fail1;
 		}
 		cidx = gdCalloc(sidx, 1);
+		if (cidx == NULL) {
+			goto fail1;
+		}
+
 		for (i = 0; i < nc; i++) {
 			if (gdGetInt(&cidx[i].offset, in) != 1) {
 				gdFree(cidx);
diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt
new file mode 100644
index 0000000..763ae71
--- /dev/null
+++ b/ext/gd/tests/bug72339.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow 
+--SKIPIF--
+<?php if (!function_exists("imagecreatefromgd2")) print "skip"; ?>
+--FILE--
+<?php imagecreatefromgd2(dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"); ?>
+--EXPECTF--	
+Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+ in %sbug72339.php on line %d
+
+Warning: imagecreatefromgd2(): '%sbug72339.gd' is not a valid GD2 file in %sbug72339.php on line %d

From 5f107ab8a66f8b36ac0c0b32e0231bf94e083c94 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 20 Jun 2016 22:54:55 -0700
Subject: [PATCH] fix tests

---
 ext/gd/libgd/gd_gd2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index 63e3aef..e954aaf 100644
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -138,7 +138,7 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
 	if (gd2_compressed(*fmt)) {
 		nc = (*ncx) * (*ncy);
 		GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
-		if (overflow2(sidx, nc)) {
+		if (overflow2(sizeof(t_chunk_info), nc)) {
 			goto fail1;
 		}
 		sidx = sizeof(t_chunk_info) * nc;

From 0c7250f260303061425d0d8a348d1a80fa0cc12e Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Tue, 21 Jun 2016 09:42:38 +0200
Subject: [PATCH] remove the huge test file, generate it on the fly instead

---
 ext/gd/tests/bug72339.gd   | Bin 67108882 -> 0 bytes
 ext/gd/tests/bug72339.phpt |  24 +++++++++++++++++++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)
 delete mode 100644 ext/gd/tests/bug72339.gd

diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt
index 763ae71..2c30ee8 100644
--- a/ext/gd/tests/bug72339.phpt
+++ b/ext/gd/tests/bug72339.phpt
@@ -3,7 +3,29 @@ Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
 --SKIPIF--
 <?php if (!function_exists("imagecreatefromgd2")) print "skip"; ?>
 --FILE--
-<?php imagecreatefromgd2(dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"); ?>
+<?php
+$fname = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd";
+
+$fh = fopen($fname, "w");
+fwrite($fh, "gd2\x00");
+fwrite($fh, pack("n", 2));
+fwrite($fh, pack("n", 1));
+fwrite($fh, pack("n", 1));
+fwrite($fh, pack("n", 0x40));
+fwrite($fh, pack("n", 2));
+fwrite($fh, pack("n", 0x5AA0)); // Chunks Wide
+fwrite($fh, pack("n", 0x5B00)); // Chunks Vertically
+fwrite($fh, str_repeat("\x41\x41\x41\x41", 0x1000000)); // overflow data
+fclose($fh);
+
+$im = imagecreatefromgd2($fname);
+
+if ($im) {
+	imagedestroy($im);
+}
+unlink($fname);
+
+?>
 --EXPECTF--	
 Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
  in %sbug72339.php on line %d