summaryrefslogtreecommitdiffstats
path: root/php-5.5.6-CVE-2013-7327.patch
diff options
context:
space:
mode:
Diffstat (limited to 'php-5.5.6-CVE-2013-7327.patch')
-rw-r--r--php-5.5.6-CVE-2013-7327.patch89
1 files changed, 89 insertions, 0 deletions
diff --git a/php-5.5.6-CVE-2013-7327.patch b/php-5.5.6-CVE-2013-7327.patch
new file mode 100644
index 0000000..ded5f66
--- /dev/null
+++ b/php-5.5.6-CVE-2013-7327.patch
@@ -0,0 +1,89 @@
+From af09d8b96a8aacdd7d738fec81b695c1c58368f7 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Wed, 5 Mar 2014 10:40:36 +0100
+Subject: [PATCH] Fixed Bug #66815 imagecrop(): insufficient fix for NULL defer
+ CVE-2013-7327
+
+This amends commit 8f4a537, which aimed to correct NULL dereference because of
+missing check of gdImageCreateTrueColor() / gdImageCreate() return value. That
+commit checks for negative crop rectangle width and height, but
+gdImageCreate*() can also return NULL when width * height overflows. Hence
+NULL deref is still possible, as gdImageSaveAlpha() and gdImagePaletteCopy()
+is called before dst == NULL check.
+
+This moves NULL check to happen right after gdImageCreate*(). It also removes
+width and height check before gdImageCreate*(), as the same check is done by
+image create functions (with an extra warning).
+
+From thoger redhat com
+---
+ ext/gd/libgd/gd_crop.c | 14 ++++++--------
+ ext/gd/tests/bug66356.phpt | 11 ++++++++++-
+ 2 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/ext/gd/libgd/gd_crop.c b/ext/gd/libgd/gd_crop.c
+index bba425d..84edb5d 100644
+--- a/ext/gd/libgd/gd_crop.c
++++ b/ext/gd/libgd/gd_crop.c
+@@ -45,22 +45,20 @@ gdImagePtr gdImageCrop(gdImagePtr src, const gdRectPtr crop)
+ gdImagePtr dst;
+ int y;
+
+- /* check size */
+- if (crop->width<=0 || crop->height<=0) {
+- return NULL;
+- }
+-
+ /* allocate the requested size (could be only partially filled) */
+ if (src->trueColor) {
+ dst = gdImageCreateTrueColor(crop->width, crop->height);
++ if (dst == NULL) {
++ return NULL;
++ }
+ gdImageSaveAlpha(dst, 1);
+ } else {
+ dst = gdImageCreate(crop->width, crop->height);
++ if (dst == NULL) {
++ return NULL;
++ }
+ gdImagePaletteCopy(dst, src);
+ }
+- if (dst == NULL) {
+- return NULL;
+- }
+ dst->transparent = src->transparent;
+
+ /* check position in the src image */
+diff --git a/ext/gd/tests/bug66356.phpt b/ext/gd/tests/bug66356.phpt
+index 2da91d6..583d749 100644
+--- a/ext/gd/tests/bug66356.phpt
++++ b/ext/gd/tests/bug66356.phpt
+@@ -24,6 +24,8 @@ var_dump(imagecrop($img, array("x" => -20, "y" => -20, "width" => 10, "height" =
+ // POC #4
+ var_dump(imagecrop($img, array("x" => 0x7fffff00, "y" => 0, "width" => 10, "height" => 10)));
+
++// bug 66815
++var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => 65535, "height" => 65535)));
+ ?>
+ --EXPECTF--
+ resource(%d) of type (gd)
+@@ -35,6 +37,13 @@ Array
+ [width] => 10
+ [height] => 10
+ )
++
++Warning: imagecrop(): gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully
++ in %sbug66356.php on line %d
+ bool(false)
+ resource(%d) of type (gd)
+-resource(%d) of type (gd)
+\ No newline at end of file
++resource(%d) of type (gd)
++
++Warning: imagecrop(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
++ in %sbug66356.php on line %d
++bool(false)
+\ No newline at end of file
+--
+1.8.4.3
+