Skip to content

Instantly share code, notes, and snippets.

/75571.diff Secret

Created December 1, 2017 22:02
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save anonymous/2c5331292f9e77e694ad9dd8901a3a11 to your computer and use it in GitHub Desktop.
Patch for 75571
commit 07dd4c36e5b2bd6032a1e589f31e87ccde4334c1
Author: Christoph M. Becker <cmbecker69@gmx.de>
Date: Wed Nov 29 18:52:33 2017 +0100
Fixed bug #75571: Potential infinite loop in gdImageCreateFromGifCtx
Due to a signedness confusion in `GetCode_` a corrupt GIF file can
trigger an infinite loop. Furthermore we make sure that a GIF without
any palette entries is treated as invalid *after* open palette entries
have been removed.
diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
index e0f0fe3..16776d3 100644
--- a/ext/gd/libgd/gd_gif_in.c
+++ b/ext/gd/libgd/gd_gif_in.c
@@ -261,10 +261,6 @@ terminated:
if (!im) {
return 0;
}
- if (!im->colorsTotal) {
- gdImageDestroy(im);
- return 0;
- }
/* Check for open colors at the end, so
we can reduce colorsTotal and ultimately
BitsPerPixel */
@@ -275,6 +271,10 @@ terminated:
break;
}
}
+ if (!im->colorsTotal) {
+ gdImageDestroy(im);
+ return 0;
+ }
return im;
}
/* }}} */
@@ -375,7 +375,7 @@ static int
GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
{
int i, j, ret;
- unsigned char count;
+ int count;
if (flag) {
scd->curbit = 0;
diff --git a/ext/gd/tests/bug75571.gif b/ext/gd/tests/bug75571.gif
new file mode 100644
index 0000000..3c30b40
Binary files /dev/null and b/ext/gd/tests/bug75571.gif differ
diff --git a/ext/gd/tests/bug75571.phpt b/ext/gd/tests/bug75571.phpt
new file mode 100644
index 0000000..5bd26b8
--- /dev/null
+++ b/ext/gd/tests/bug75571.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #75571 (Infinite loop in GIF reading causing DoS)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+var_dump(imagecreatefromgif(__DIR__ . '/bug75571.gif'));
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromgif(): '%s' is not a valid GIF file in %s on line %d
+bool(false)
+===DONE===
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment