-
-
Save anonymous/2c5331292f9e77e694ad9dd8901a3a11 to your computer and use it in GitHub Desktop.
Patch for 75571
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 07dd4c36e5b2bd6032a1e589f31e87ccde4334c1 | |
Author: Christoph M. Becker <cmbecker69@gmx.de> | |
Date: Wed Nov 29 18:52:33 2017 +0100 | |
Fixed bug #75571: Potential infinite loop in gdImageCreateFromGifCtx | |
Due to a signedness confusion in `GetCode_` a corrupt GIF file can | |
trigger an infinite loop. Furthermore we make sure that a GIF without | |
any palette entries is treated as invalid *after* open palette entries | |
have been removed. | |
diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c | |
index e0f0fe3..16776d3 100644 | |
--- a/ext/gd/libgd/gd_gif_in.c | |
+++ b/ext/gd/libgd/gd_gif_in.c | |
@@ -261,10 +261,6 @@ terminated: | |
if (!im) { | |
return 0; | |
} | |
- if (!im->colorsTotal) { | |
- gdImageDestroy(im); | |
- return 0; | |
- } | |
/* Check for open colors at the end, so | |
we can reduce colorsTotal and ultimately | |
BitsPerPixel */ | |
@@ -275,6 +271,10 @@ terminated: | |
break; | |
} | |
} | |
+ if (!im->colorsTotal) { | |
+ gdImageDestroy(im); | |
+ return 0; | |
+ } | |
return im; | |
} | |
/* }}} */ | |
@@ -375,7 +375,7 @@ static int | |
GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) | |
{ | |
int i, j, ret; | |
- unsigned char count; | |
+ int count; | |
if (flag) { | |
scd->curbit = 0; | |
diff --git a/ext/gd/tests/bug75571.gif b/ext/gd/tests/bug75571.gif | |
new file mode 100644 | |
index 0000000..3c30b40 | |
Binary files /dev/null and b/ext/gd/tests/bug75571.gif differ | |
diff --git a/ext/gd/tests/bug75571.phpt b/ext/gd/tests/bug75571.phpt | |
new file mode 100644 | |
index 0000000..5bd26b8 | |
--- /dev/null | |
+++ b/ext/gd/tests/bug75571.phpt | |
@@ -0,0 +1,15 @@ | |
+--TEST-- | |
+Bug #75571 (Infinite loop in GIF reading causing DoS) | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded('gd')) die('skip gd extension not available'); | |
+?> | |
+--FILE-- | |
+<?php | |
+var_dump(imagecreatefromgif(__DIR__ . '/bug75571.gif')); | |
+?> | |
+===DONE=== | |
+--EXPECTF-- | |
+Warning: imagecreatefromgif(): '%s' is not a valid GIF file in %s on line %d | |
+bool(false) | |
+===DONE=== |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment