diff options
Diffstat (limited to 'meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9933.patch')
| -rw-r--r-- | meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9933.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9933.patch b/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9933.patch new file mode 100644 index 0000000000..0d5a9d2336 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9933.patch @@ -0,0 +1,42 @@ +Fix #72696: imagefilltoborder stackoverflow on truecolor images + +We must not allow negative color values be passed to +gdImageFillToBorder(), because that can lead to infinite recursion +since the recursion termination condition will not necessarily be met. + +Upstream-status: Backport + +CVE: CVE-2016-9933 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> +Index: php-5.6.26/ext/gd/libgd/gd.c +=================================================================== +--- php-5.6.26.orig/ext/gd/libgd/gd.c 2016-09-16 02:32:50.000000000 +0530 ++++ php-5.6.26/ext/gd/libgd/gd.c 2017-07-07 18:18:38.079721713 +0530 +@@ -1780,7 +1780,7 @@ + int leftLimit = -1, rightLimit; + int i, restoreAlphaBlending = 0; + +- if (border < 0) { ++ if (border < 0 || color < 0) { + /* Refuse to fill to a non-solid border */ + return; + } +Index: php-5.6.26/ext/gd/tests/bug72696.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php-5.6.26/ext/gd/tests/bug72696.phpt 2017-07-07 18:19:16.939987470 +0530 +@@ -0,0 +1,14 @@ ++--TEST-- ++Bug #72696 (imagefilltoborder stackoverflow on truecolor images) ++--SKIPIF-- ++<?php ++if (!extension_loaded('gd')) die('skip gd extension not available'); ++?> ++--FILE-- ++<?php ++$im = imagecreatetruecolor(10, 10); ++imagefilltoborder($im, 0, 0, 1, -2); ++?> ++===DONE=== ++--EXPECT-- ++===DONE=== |