38 lines
1.2 KiB
Diff
38 lines
1.2 KiB
Diff
Backported for 2.1, without binary patch, from:
|
|
|
|
|
|
From 78d83ac76c16d269b538a7cef4120a5fb5177b6d Mon Sep 17 00:00:00 2001
|
|
From: Pierre Joye <pierre.php@gmail.com>
|
|
Date: Tue, 28 Jun 2016 16:23:42 +0700
|
|
Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
|
|
_gd2GetHeader() resulting in heap overflow
|
|
|
|
---
|
|
src/gd_gd2.c | 5 ++++-
|
|
tests/gd2/CMakeLists.txt | 1 +
|
|
tests/gd2/Makemodule.am | 6 ++++--
|
|
tests/gd2/php_bug_72339.c | 21 +++++++++++++++++++++
|
|
tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
|
|
5 files changed, 30 insertions(+), 3 deletions(-)
|
|
create mode 100644 tests/gd2/php_bug_72339.c
|
|
create mode 100644 tests/gd2/php_bug_72339_exp.gd2
|
|
|
|
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
|
|
index fd1e0c9..bdbbecf 100644
|
|
--- a/src/gd_gd2.c
|
|
+++ b/src/gd_gd2.c
|
|
@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
|
|
nc = (*ncx) * (*ncy);
|
|
GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
|
|
sidx = sizeof (t_chunk_info) * nc;
|
|
+ if (overflow2(sidx, nc)) {
|
|
+ goto fail1;
|
|
+ }
|
|
cidx = gdCalloc (sidx, 1);
|
|
- if (!cidx) {
|
|
+ if (cidx == NULL) {
|
|
goto fail1;
|
|
}
|
|
for (i = 0; i < nc; i++) {
|
|
|