Fix PHP bug #77270
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 23d0a0bc3c0b858e5b491373e59b7c3e5c7d7ed5 Mon Sep 17 00:00:00 2001 | |
From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
Date: Sun, 30 Dec 2018 13:59:26 +0100 | |
Subject: [PATCH] Fix #77270: imagecolormatch Out Of Bounds Write on Heap | |
At least some of the image reading functions may return images which | |
use color indexes greater than or equal to im->colorsTotal. We cater | |
to this by always using a buffer size which is sufficient for | |
`gdMaxColors` in `gdImageColorMatch()`. | |
--- | |
ext/gd/libgd/gd_color_match.c | 4 ++-- | |
ext/gd/tests/bug77270.phpt | 18 ++++++++++++++++++ | |
2 files changed, 20 insertions(+), 2 deletions(-) | |
create mode 100644 ext/gd/tests/bug77270.phpt | |
diff --git a/ext/gd/libgd/gd_color_match.c b/ext/gd/libgd/gd_color_match.c | |
index a4e56b1c40..e6f539bc75 100644 | |
--- a/ext/gd/libgd/gd_color_match.c | |
+++ b/ext/gd/libgd/gd_color_match.c | |
@@ -33,8 +33,8 @@ int gdImageColorMatch (gdImagePtr im1, gdImagePtr im2) | |
return -4; /* At least 1 color must be allocated */ | |
} | |
- buf = (unsigned long *)safe_emalloc(sizeof(unsigned long), 5 * im2->colorsTotal, 0); | |
- memset( buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); | |
+ buf = (unsigned long *)safe_emalloc(sizeof(unsigned long), 5 * gdMaxColors, 0); | |
+ memset( buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); | |
for (x=0; x<im1->sx; x++) { | |
for( y=0; y<im1->sy; y++ ) { | |
diff --git a/ext/gd/tests/bug77270.phpt b/ext/gd/tests/bug77270.phpt | |
new file mode 100644 | |
index 0000000000..1c4555a64d | |
--- /dev/null | |
+++ b/ext/gd/tests/bug77270.phpt | |
@@ -0,0 +1,18 @@ | |
+--TEST-- | |
+Bug #77270 (imagecolormatch Out Of Bounds Write on Heap) | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded('gd')) die('skip gd extension not available'); | |
+if (!GD_BUNDLED && version_compare(GD_VERSION, '2.2.5', '<=')) die('skip upstream bugfix has not been released'); | |
+?> | |
+--FILE-- | |
+<?php | |
+$img1 = imagecreatetruecolor(0xfff, 0xfff); | |
+$img2 = imagecreate(0xfff, 0xfff); | |
+imagecolorallocate($img2, 0, 0, 0); | |
+imagesetpixel($img2, 0, 0, 255); | |
+imagecolormatch($img1, $img2); | |
+?> | |
+===DONE=== | |
+--EXPECT-- | |
+===DONE=== | |
-- | |
2.17.0.windows.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there code to prevent
sizeof(unsigned long) * 5 * gdMaxColors
from overflowing?Thanks