archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix GH-16771: imagecreatefromstring overflow on invalid format.

Browse source 
close GH-16776
This commit is contained in:
David Carlier 2024-11-13 07:26:24 +00:00
parent 19809a526b
commit 4124b04e34
No known key found for this signature in database
GPG key ID: 8486F847B4B94EF1
3 changed files with 14 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
NEWS
View file

@ -13,6 +13,9 @@ PHP NEWS
- FPM: - FPM:
. Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status). (Jakub Zelenka) . Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status). (Jakub Zelenka)
- GD:
. Fixed GH-16776 (imagecreatefromstring overflow). (David Carlier)
- Hash: - Hash:
. Fixed GH-16711: Segfault in mhash(). (Girgias) . Fixed GH-16711: Segfault in mhash(). (Girgias)

2
ext/gd/gd.c
View file

@ -1323,7 +1323,7 @@ static int _php_ctx_getmbi(gdIOCtx *ctx)
do { do {
i = (ctx->getC)(ctx); i = (ctx->getC)(ctx);
if (i < 0) { if (i < 0 || mbi > (INT_MAX >> 7)) {
return -1; return -1;
} }
mbi = (mbi << 7) | (i & 0x7f); mbi = (mbi << 7) | (i & 0x7f);

10
ext/gd/tests/gh16771.phpt Normal file
View file

@ -0,0 +1,10 @@
--TEST--
GH-16771 (UBSan abort in ext/gd/libgd/gd.c:1372)
--EXTENSIONS--
gd
--FILE--
<?php
$string_mb = base64_decode('5pel5pys6Kqe44OG44Kt44K544OIMzTvvJXvvJbml6XmnKzoqp7jg4bjgq3jgrnjg4g=');
imagecreatefromstring($string_mb);
--EXPECTF--
Warning: imagecreatefromstring(): Data is not in a recognized format in %s on line %d