archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-19 08:49:28 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop())

Browse source 
Initial fix was PHP stuff
This one is libgd fix.

- filter invalid crop size
- dont try to copy on invalid position
- fix crop size when out of src image
- fix possible NULL deref
- fix possible integer overfloow
This commit is contained in:
Remi Collet 2013-12-28 14:22:13 +01:00
parent aba76f09fa
commit 8f4a5373bb
3 changed files with 54 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

3
NEWS
View file

@ -29,7 +29,8 @@ PHP NEWS
. Fixed bug #66229 (128.0.0.0/16 isn't reserved any longer). (Adam) . Fixed bug #66229 (128.0.0.0/16 isn't reserved any longer). (Adam)
- GD: - GD:
. Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop()). (Laruence) . Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop()).
(Laruence, Remi)
. Fixed bug #64405 (Use freetype-config for determining freetype2 dir(s)). . Fixed bug #64405 (Use freetype-config for determining freetype2 dir(s)).
(Adam) (Adam)

52
ext/gd/libgd/gd_crop.c
View file

@ -44,6 +44,12 @@ gdImagePtr gdImageCrop(gdImagePtr src, const gdRectPtr crop)
{ {
gdImagePtr dst; gdImagePtr dst;
/* check size */
if (crop->width<=0 || crop->height<=0) {
return NULL;
}
/* allocate the requested size (could be only partially filled) */
if (src->trueColor) { if (src->trueColor) {
dst = gdImageCreateTrueColor(crop->width, crop->height); dst = gdImageCreateTrueColor(crop->width, crop->height);
gdImageSaveAlpha(dst, 1); gdImageSaveAlpha(dst, 1);
@ -51,37 +57,43 @@ gdImagePtr gdImageCrop(gdImagePtr src, const gdRectPtr crop)
dst = gdImageCreate(crop->width, crop->height); dst = gdImageCreate(crop->width, crop->height);
gdImagePaletteCopy(dst, src); gdImagePaletteCopy(dst, src);
} }
if (dst == NULL) {
return NULL;
}
dst->transparent = src->transparent; dst->transparent = src->transparent;
if (src->sx < (crop->x + crop->width -1)) { /* check position in the src image */
crop->width = src->sx - crop->x + 1; if (crop->x < 0 || crop->x>=src->sx || crop->y<0 || crop->y>=src->sy) {
return dst;
} }
if (src->sy < (crop->y + crop->height -1)) {
crop->height = src->sy - crop->y + 1; /* reduce size if needed */
if ((src->sx - crop->width) < crop->x) {
crop->width = src->sx - crop->x;
} }
if ((src->sy - crop->height) < crop->y) {
crop->height = src->sy - crop->y;
}
#if 0 #if 0
printf("rect->x: %i\nrect->y: %i\nrect->width: %i\nrect->height: %i\n", crop->x, crop->y, crop->width, crop->height); printf("rect->x: %i\nrect->y: %i\nrect->width: %i\nrect->height: %i\n", crop->x, crop->y, crop->width, crop->height);
#endif #endif
if (dst == NULL) { int y = crop->y;
return NULL; if (src->trueColor) {
unsigned int dst_y = 0;
while (y < (crop->y + (crop->height - 1))) {
/* TODO: replace 4 w/byte per channel||pitch once available */
memcpy(dst->tpixels[dst_y++], src->tpixels[y++] + crop->x, crop->width * 4);
}
} else { } else {
int y = crop->y; int x;
if (src->trueColor) { for (y = crop->y; y < (crop->y + (crop->height - 1)); y++) {
unsigned int dst_y = 0; for (x = crop->x; x < (crop->x + (crop->width - 1)); x++) {
while (y < (crop->y + (crop->height - 1))) { dst->pixels[y - crop->y][x - crop->x] = src->pixels[y][x];
/* TODO: replace 4 w/byte per channel||pitch once available */
memcpy(dst->tpixels[dst_y++], src->tpixels[y++] + crop->x, crop->width * 4);
}
} else {
int x;
for (y = crop->y; y < (crop->y + (crop->height - 1)); y++) {
for (x = crop->x; x < (crop->x + (crop->width - 1)); x++) {
dst->pixels[y - crop->y][x - crop->x] = src->pixels[y][x];
}
} }
} }
return dst;
} }
return dst;
} }
/** /**

22
ext/gd/tests/bug66356.phpt
View file

@ -7,12 +7,27 @@ Bug #66356 (Heap Overflow Vulnerability in imagecrop())
--FILE-- --FILE--
<?php <?php
$img = imagecreatetruecolor(10, 10); $img = imagecreatetruecolor(10, 10);
$img = imagecrop($img, array("x" => "a", "y" => 0, "width" => 10, "height" => 10));
// POC #1
var_dump(imagecrop($img, array("x" => "a", "y" => 0, "width" => 10, "height" => 10)));
$arr = array("x" => "a", "y" => "12b", "width" => 10, "height" => 10); $arr = array("x" => "a", "y" => "12b", "width" => 10, "height" => 10);
$img = imagecrop($img, $arr); var_dump(imagecrop($img, $arr));
print_r($arr); print_r($arr);
// POC #2
var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => -1, "height" => 10)));
// POC #3
var_dump(imagecrop($img, array("x" => -20, "y" => -20, "width" => 10, "height" => 10)));
// POC #4
var_dump(imagecrop($img, array("x" => 0x7fffff00, "y" => 0, "width" => 10, "height" => 10)));
?> ?>
--EXPECTF-- --EXPECTF--
resource(%d) of type (gd)
resource(%d) of type (gd)
Array Array
( (
[x] => a [x] => a
@ -20,3 +35,6 @@ Array
[width] => 10 [width] => 10
[height] => 10 [height] => 10
) )
bool(false)
resource(%d) of type (gd)
resource(%d) of type (gd)