1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
|
From 089f7c0bc28d399b0420aa6ef058e4c1c120b2ae Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Sat, 19 Jan 2019 10:35:39 +0100
Subject: [PATCH] Sync with upstream
Even though libgd/libgd#492 is not a relevant bug fix for PHP, since
the binding doesn't use the `gdImage*Ptr()` functions at all, we're
porting the fix to stay in sync here.
---
ext/gd/libgd/gd_gif_out.c | 20 +++++++++++++++++---
ext/gd/libgd/gd_jpeg.c | 17 ++++++++++++++---
ext/gd/libgd/gd_wbmp.c | 18 +++++++++++++++---
3 files changed, 46 insertions(+), 9 deletions(-)
Upstream-Status: Backport [http://git.php.net/?p=php-src.git;a=commit;h=089f7c0bc28d399b0420aa6ef058e4c1c120b2ae]
CVE: CVE-2019-6978
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
diff --git a/ext/gd/libgd/gd_gif_out.c b/ext/gd/libgd/gd_gif_out.c
index 1f2a6b936a..2e1f38af70 100644
--- a/ext/gd/libgd/gd_gif_out.c
+++ b/ext/gd/libgd/gd_gif_out.c
@@ -97,12 +97,18 @@ static void cl_hash (register count_int chsize, GifCtx *ctx);
static void char_init (GifCtx *ctx);
static void char_out (int c, GifCtx *ctx);
static void flush_char (GifCtx *ctx);
+
+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out);
+
void * gdImageGifPtr (gdImagePtr im, int *size)
{
void *rv;
gdIOCtx *out = gdNewDynamicCtx (2048, NULL);
- gdImageGifCtx (im, out);
- rv = gdDPExtractData (out, size);
+ if (!_gdImageGifCtx(im, out)) {
+ rv = gdDPExtractData(out, size);
+ } else {
+ rv = NULL;
+ }
out->gd_free (out);
return rv;
}
@@ -115,6 +121,12 @@ void gdImageGif (gdImagePtr im, FILE * outFile)
}
void gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+{
+ _gdImageGifCtx(im, out);
+}
+
+/* returns 0 on success, 1 on failure */
+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
{
gdImagePtr pim = 0, tim = im;
int interlace, BitsPerPixel;
@@ -125,7 +137,7 @@ void gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
based temporary image. */
pim = gdImageCreatePaletteFromTrueColor(im, 1, 256);
if (!pim) {
- return;
+ return 1;
}
tim = pim;
}
@@ -138,6 +150,8 @@ void gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
/* Destroy palette based temporary image. */
gdImageDestroy( pim);
}
+
+ return 0;
}
static int
diff --git a/ext/gd/libgd/gd_jpeg.c b/ext/gd/libgd/gd_jpeg.c
index 8cf71fcbc9..ef46c4a22c 100644
--- a/ext/gd/libgd/gd_jpeg.c
+++ b/ext/gd/libgd/gd_jpeg.c
@@ -132,6 +132,7 @@ const char * gdJpegGetVersionString()
}
}
+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
/*
* Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
@@ -153,8 +154,11 @@ void *gdImageJpegPtr (gdImagePtr im, int *size, int quality)
{
void *rv;
gdIOCtx *out = gdNewDynamicCtx (2048, NULL);
- gdImageJpegCtx (im, out, quality);
- rv = gdDPExtractData (out, size);
+ if (!_gdImageJpegCtx(im, out, quality)) {
+ rv = gdDPExtractData(out, size);
+ } else {
+ rv = NULL;
+ }
out->gd_free (out);
return rv;
@@ -163,6 +167,12 @@ void *gdImageJpegPtr (gdImagePtr im, int *size, int quality)
void jpeg_gdIOCtx_dest (j_compress_ptr cinfo, gdIOCtx * outfile);
void gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
+{
+ _gdImageJpegCtx(im, outfile, quality);
+}
+
+/* returns 0 on success, 1 on failure */
+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
{
struct jpeg_compress_struct cinfo;
struct jpeg_error_mgr jerr;
@@ -184,7 +194,7 @@ void gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
if (row) {
gdFree (row);
}
- return;
+ return 1;
}
cinfo.err->error_exit = fatal_jpeg_error;
@@ -277,6 +287,7 @@ void gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
jpeg_finish_compress (&cinfo);
jpeg_destroy_compress (&cinfo);
gdFree (row);
+ return 0;
}
gdImagePtr gdImageCreateFromJpeg (FILE * inFile)
diff --git a/ext/gd/libgd/gd_wbmp.c b/ext/gd/libgd/gd_wbmp.c
index 55ced3443d..fd9edad2ca 100644
--- a/ext/gd/libgd/gd_wbmp.c
+++ b/ext/gd/libgd/gd_wbmp.c
@@ -82,6 +82,7 @@ int gd_getin (void *in)
return (gdGetC((gdIOCtx *) in));
}
+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
/* gdImageWBMPCtx
** --------------
@@ -93,6 +94,12 @@ int gd_getin (void *in)
** out: the stream where to write
*/
void gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out)
+{
+ _gdImageWBMPCtx(image, fg, out);
+}
+
+/* returns 0 on success, 1 on failure */
+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
{
int x, y, pos;
Wbmp *wbmp;
@@ -100,7 +107,7 @@ void gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out)
/* create the WBMP */
if ((wbmp = createwbmp (gdImageSX (image), gdImageSY (image), WBMP_WHITE)) == NULL) {
gd_error("Could not create WBMP");
- return;
+ return 1;
}
/* fill up the WBMP structure */
@@ -116,7 +123,9 @@ void gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out)
/* write the WBMP to a gd file descriptor */
if (writewbmp (wbmp, &gd_putout, out)) {
+ freewbmp(wbmp);
gd_error("Could not save WBMP");
+ return 1;
}
/* des submitted this bugfix: gdFree the memory. */
freewbmp(wbmp);
@@ -204,8 +213,11 @@ void * gdImageWBMPPtr (gdImagePtr im, int *size, int fg)
{
void *rv;
gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
- gdImageWBMPCtx(im, fg, out);
- rv = gdDPExtractData(out, size);
+ if (!_gdImageWBMPCtx(im, fg, out)) {
+ rv = gdDPExtractData(out, size);
+ } else {
+ rv = NULL;
+ }
out->gd_free(out);
return rv;
--
2.17.1
|
