diff options
Diffstat (limited to 'php-5.5.6-CVE-2013-7327.patch')
| -rw-r--r-- | php-5.5.6-CVE-2013-7327.patch | 89 |
1 files changed, 0 insertions, 89 deletions
diff --git a/php-5.5.6-CVE-2013-7327.patch b/php-5.5.6-CVE-2013-7327.patch deleted file mode 100644 index ded5f66..0000000 --- a/php-5.5.6-CVE-2013-7327.patch +++ /dev/null @@ -1,89 +0,0 @@ -From af09d8b96a8aacdd7d738fec81b695c1c58368f7 Mon Sep 17 00:00:00 2001 -From: Remi Collet <remi@php.net> -Date: Wed, 5 Mar 2014 10:40:36 +0100 -Subject: [PATCH] Fixed Bug #66815 imagecrop(): insufficient fix for NULL defer - CVE-2013-7327 - -This amends commit 8f4a537, which aimed to correct NULL dereference because of -missing check of gdImageCreateTrueColor() / gdImageCreate() return value. That -commit checks for negative crop rectangle width and height, but -gdImageCreate*() can also return NULL when width * height overflows. Hence -NULL deref is still possible, as gdImageSaveAlpha() and gdImagePaletteCopy() -is called before dst == NULL check. - -This moves NULL check to happen right after gdImageCreate*(). It also removes -width and height check before gdImageCreate*(), as the same check is done by -image create functions (with an extra warning). - -From thoger redhat com ---- - ext/gd/libgd/gd_crop.c | 14 ++++++-------- - ext/gd/tests/bug66356.phpt | 11 ++++++++++- - 2 files changed, 16 insertions(+), 9 deletions(-) - -diff --git a/ext/gd/libgd/gd_crop.c b/ext/gd/libgd/gd_crop.c -index bba425d..84edb5d 100644 ---- a/ext/gd/libgd/gd_crop.c -+++ b/ext/gd/libgd/gd_crop.c -@@ -45,22 +45,20 @@ gdImagePtr gdImageCrop(gdImagePtr src, const gdRectPtr crop) - gdImagePtr dst; - int y; - -- /* check size */ -- if (crop->width<=0 || crop->height<=0) { -- return NULL; -- } -- - /* allocate the requested size (could be only partially filled) */ - if (src->trueColor) { - dst = gdImageCreateTrueColor(crop->width, crop->height); -+ if (dst == NULL) { -+ return NULL; -+ } - gdImageSaveAlpha(dst, 1); - } else { - dst = gdImageCreate(crop->width, crop->height); -+ if (dst == NULL) { -+ return NULL; -+ } - gdImagePaletteCopy(dst, src); - } -- if (dst == NULL) { -- return NULL; -- } - dst->transparent = src->transparent; - - /* check position in the src image */ -diff --git a/ext/gd/tests/bug66356.phpt b/ext/gd/tests/bug66356.phpt -index 2da91d6..583d749 100644 ---- a/ext/gd/tests/bug66356.phpt -+++ b/ext/gd/tests/bug66356.phpt -@@ -24,6 +24,8 @@ var_dump(imagecrop($img, array("x" => -20, "y" => -20, "width" => 10, "height" = - // POC #4 - var_dump(imagecrop($img, array("x" => 0x7fffff00, "y" => 0, "width" => 10, "height" => 10))); - -+// bug 66815 -+var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => 65535, "height" => 65535))); - ?> - --EXPECTF-- - resource(%d) of type (gd) -@@ -35,6 +37,13 @@ Array - [width] => 10 - [height] => 10 - ) -+ -+Warning: imagecrop(): gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully -+ in %sbug66356.php on line %d - bool(false) - resource(%d) of type (gd) --resource(%d) of type (gd) -\ No newline at end of file -+resource(%d) of type (gd) -+ -+Warning: imagecrop(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully -+ in %sbug66356.php on line %d -+bool(false) -\ No newline at end of file --- -1.8.4.3 - |