1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
From af09d8b96a8aacdd7d738fec81b695c1c58368f7 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Wed, 5 Mar 2014 10:40:36 +0100
Subject: [PATCH] Fixed Bug #66815 imagecrop(): insufficient fix for NULL defer
CVE-2013-7327
This amends commit 8f4a537, which aimed to correct NULL dereference because of
missing check of gdImageCreateTrueColor() / gdImageCreate() return value. That
commit checks for negative crop rectangle width and height, but
gdImageCreate*() can also return NULL when width * height overflows. Hence
NULL deref is still possible, as gdImageSaveAlpha() and gdImagePaletteCopy()
is called before dst == NULL check.
This moves NULL check to happen right after gdImageCreate*(). It also removes
width and height check before gdImageCreate*(), as the same check is done by
image create functions (with an extra warning).
From thoger redhat com
---
ext/gd/libgd/gd_crop.c | 14 ++++++--------
ext/gd/tests/bug66356.phpt | 11 ++++++++++-
2 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/ext/gd/libgd/gd_crop.c b/ext/gd/libgd/gd_crop.c
index bba425d..84edb5d 100644
--- a/ext/gd/libgd/gd_crop.c
+++ b/ext/gd/libgd/gd_crop.c
@@ -45,22 +45,20 @@ gdImagePtr gdImageCrop(gdImagePtr src, const gdRectPtr crop)
gdImagePtr dst;
int y;
- /* check size */
- if (crop->width<=0 || crop->height<=0) {
- return NULL;
- }
-
/* allocate the requested size (could be only partially filled) */
if (src->trueColor) {
dst = gdImageCreateTrueColor(crop->width, crop->height);
+ if (dst == NULL) {
+ return NULL;
+ }
gdImageSaveAlpha(dst, 1);
} else {
dst = gdImageCreate(crop->width, crop->height);
+ if (dst == NULL) {
+ return NULL;
+ }
gdImagePaletteCopy(dst, src);
}
- if (dst == NULL) {
- return NULL;
- }
dst->transparent = src->transparent;
/* check position in the src image */
diff --git a/ext/gd/tests/bug66356.phpt b/ext/gd/tests/bug66356.phpt
index 2da91d6..583d749 100644
--- a/ext/gd/tests/bug66356.phpt
+++ b/ext/gd/tests/bug66356.phpt
@@ -24,6 +24,8 @@ var_dump(imagecrop($img, array("x" => -20, "y" => -20, "width" => 10, "height" =
// POC #4
var_dump(imagecrop($img, array("x" => 0x7fffff00, "y" => 0, "width" => 10, "height" => 10)));
+// bug 66815
+var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => 65535, "height" => 65535)));
?>
--EXPECTF--
resource(%d) of type (gd)
@@ -35,6 +37,13 @@ Array
[width] => 10
[height] => 10
)
+
+Warning: imagecrop(): gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully
+ in %sbug66356.php on line %d
bool(false)
resource(%d) of type (gd)
-resource(%d) of type (gd)
\ No newline at end of file
+resource(%d) of type (gd)
+
+Warning: imagecrop(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+ in %sbug66356.php on line %d
+bool(false)
\ No newline at end of file
--
1.8.4.3
|
