blob: a7c35fe43931535a36523ec81f6fd1be7e288f26 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
From 4b8394dd78571826ac66a69dc240c623f31d78f8 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 7 Dec 2015 23:30:49 -0800
Subject: [PATCH] Fix bug #70976: fix boundary check on
gdImageRotateInterpolated
Upstream-Status: Backport
https://git.php.net/?p=php-src.git;a=commit;h=4b8394dd78571826ac66a69dc240c623f31d78f8
CVE: CVE-2016-1903
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
ext/gd/libgd/gd_interpolation.c | 2 +-
ext/gd/tests/bug70976.phpt | 13 +++++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
create mode 100644 ext/gd/tests/bug70976.phpt
diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c
index f70169d..0f874ac 100644
--- a/ext/gd/libgd/gd_interpolation.c
+++ b/ext/gd/libgd/gd_interpolation.c
@@ -2162,7 +2162,7 @@ gdImagePtr gdImageRotateInterpolated(const gdImagePtr src, const float angle, in
{
const int angle_rounded = (int)floor(angle * 100);
- if (bgcolor < 0) {
+ if (bgcolor < 0 || bgcolor >= gdMaxColors) {
return NULL;
}
diff --git a/ext/gd/tests/bug70976.phpt b/ext/gd/tests/bug70976.phpt
new file mode 100644
index 0000000..23af4ee
--- /dev/null
+++ b/ext/gd/tests/bug70976.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds)
+--SKIPIF--
+<?php
+ if(!extension_loaded('gd')){ die('skip gd extension not available'); }
+?>
+--FILE--
+<?php
+$img = imagerotate(imagecreate(1,1),45,0x7ffffff9);
+var_dump($img);
+?>
+--EXPECTF--
+bool(false)
\ No newline at end of file
--
2.3.5
|
