archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-17 22:48:57 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop())

Browse source 
Initial fix was PHP stuff
This one is libgd fix.

- filter invalid crop size
- dont try to copy on invalid position
- fix crop size when out of src image
- fix possible NULL deref
- fix possible integer overfloow
This commit is contained in:
Remi Collet 2013-12-28 14:22:13 +01:00
parent aba76f09fa
commit 8f4a5373bb
3 changed files with 54 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

3
NEWS
View file

@ -29,7 +29,8 @@ PHP NEWS
. Fixed bug #66229 (128.0.0.0/16 isn't reserved any longer). (Adam)
- GD:
. Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop()). (Laruence)
. Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop()).
(Laruence, Remi)
. Fixed bug #64405 (Use freetype-config for determining freetype2 dir(s)).
(Adam)

52
ext/gd/libgd/gd_crop.c
View file

@ -44,6 +44,12 @@ gdImagePtr gdImageCrop(gdImagePtr src, const gdRectPtr crop)
{
gdImagePtr dst;
/* check size */
if (crop->width<=0 || crop->height<=0) {
return NULL;
}
/* allocate the requested size (could be only partially filled) */
if (src->trueColor) {
dst = gdImageCreateTrueColor(crop->width, crop->height);
gdImageSaveAlpha(dst, 1);
@ -51,37 +57,43 @@ gdImagePtr gdImageCrop(gdImagePtr src, const gdRectPtr crop)
dst = gdImageCreate(crop->width, crop->height);
gdImagePaletteCopy(dst, src);
}
if (dst == NULL) {
return NULL;
}
dst->transparent = src->transparent;
if (src->sx < (crop->x + crop->width -1)) {
crop->width = src->sx - crop->x + 1;
/* check position in the src image */
if (crop->x < 0 || crop->x>=src->sx || crop->y<0 || crop->y>=src->sy) {
return dst;
}
if (src->sy < (crop->y + crop->height -1)) {
crop->height = src->sy - crop->y + 1;
/* reduce size if needed */
if ((src->sx - crop->width) < crop->x) {
crop->width = src->sx - crop->x;
}
if ((src->sy - crop->height) < crop->y) {
crop->height = src->sy - crop->y;
}
#if 0
printf("rect->x: %i\nrect->y: %i\nrect->width: %i\nrect->height: %i\n", crop->x, crop->y, crop->width, crop->height);
#endif
if (dst == NULL) {
return NULL;
int y = crop->y;
if (src->trueColor) {
unsigned int dst_y = 0;
while (y < (crop->y + (crop->height - 1))) {
/* TODO: replace 4 w/byte per channel||pitch once available */
memcpy(dst->tpixels[dst_y++], src->tpixels[y++] + crop->x, crop->width * 4);
}
} else {
int y = crop->y;
if (src->trueColor) {
unsigned int dst_y = 0;
while (y < (crop->y + (crop->height - 1))) {
/* TODO: replace 4 w/byte per channel||pitch once available */
memcpy(dst->tpixels[dst_y++], src->tpixels[y++] + crop->x, crop->width * 4);
}
} else {
int x;
for (y = crop->y; y < (crop->y + (crop->height - 1)); y++) {
for (x = crop->x; x < (crop->x + (crop->width - 1)); x++) {
dst->pixels[y - crop->y][x - crop->x] = src->pixels[y][x];
}
int x;
for (y = crop->y; y < (crop->y + (crop->height - 1)); y++) {
for (x = crop->x; x < (crop->x + (crop->width - 1)); x++) {
dst->pixels[y - crop->y][x - crop->x] = src->pixels[y][x];
}
}
return dst;
}
return dst;
}
/**

22
ext/gd/tests/bug66356.phpt
View file

@ -7,12 +7,27 @@ Bug #66356 (Heap Overflow Vulnerability in imagecrop())
--FILE--
<?php
$img = imagecreatetruecolor(10, 10);
$img = imagecrop($img, array("x" => "a", "y" => 0, "width" => 10, "height" => 10));
// POC #1
var_dump(imagecrop($img, array("x" => "a", "y" => 0, "width" => 10, "height" => 10)));
$arr = array("x" => "a", "y" => "12b", "width" => 10, "height" => 10);
$img = imagecrop($img, $arr);
var_dump(imagecrop($img, $arr));
print_r($arr);
// POC #2
var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => -1, "height" => 10)));
// POC #3
var_dump(imagecrop($img, array("x" => -20, "y" => -20, "width" => 10, "height" => 10)));
// POC #4
var_dump(imagecrop($img, array("x" => 0x7fffff00, "y" => 0, "width" => 10, "height" => 10)));
?>
--EXPECTF--
resource(%d) of type (gd)
resource(%d) of type (gd)
Array
(
[x] => a
@ -20,3 +35,6 @@ Array
[width] => 10
[height] => 10
)
bool(false)
resource(%d) of type (gd)
resource(%d) of type (gd)