Fix for PHP bug #77973
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 347ec1b381419088b689532439ed33ad84172941 Mon Sep 17 00:00:00 2001 | |
From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
Date: Mon, 6 May 2019 10:18:51 +0200 | |
Subject: [PATCH] Fix #77973: Uninitialized read in gdImageCreateFromXbm | |
We have to ensure that `sscanf()` does indeed read a hex value here, | |
and bail out otherwise. | |
--- | |
ext/gd/libgd/xbm.c | 6 +++++- | |
ext/gd/tests/bug77973.phpt | 26 ++++++++++++++++++++++++++ | |
2 files changed, 31 insertions(+), 1 deletion(-) | |
create mode 100644 ext/gd/tests/bug77973.phpt | |
diff --git a/ext/gd/libgd/xbm.c b/ext/gd/libgd/xbm.c | |
index 6ff18cdee0..bde590d151 100644 | |
--- a/ext/gd/libgd/xbm.c | |
+++ b/ext/gd/libgd/xbm.c | |
@@ -135,7 +135,11 @@ gdImagePtr gdImageCreateFromXbm(FILE * fd) | |
} | |
h[3] = ch; | |
} | |
- sscanf(h, "%x", &b); | |
+ if (sscanf(h, "%x", &b) != 1) { | |
+ php_gd_error("invalid XBM"); | |
+ gdImageDestroy(im); | |
+ return 0; | |
+ } | |
for (bit = 1; bit <= max_bit; bit = bit << 1) { | |
gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0); | |
if (x == im->sx) { | |
diff --git a/ext/gd/tests/bug77973.phpt b/ext/gd/tests/bug77973.phpt | |
new file mode 100644 | |
index 0000000000..2545dbe128 | |
--- /dev/null | |
+++ b/ext/gd/tests/bug77973.phpt | |
@@ -0,0 +1,26 @@ | |
+--TEST-- | |
+Bug #77973 (Uninitialized read in gdImageCreateFromXbm) | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded('gd')) die("skip gd extension not available"); | |
+if (!function_exists('imagecreatefromxbm')) die("skip imagecreatefromxbm not available"); | |
+?> | |
+--FILE-- | |
+<?php | |
+$contents = hex2bin("23646566696e6520776964746820320a23646566696e652068656967687420320a737461746963206368617220626974735b5d203d7b0a7a7a787a7a"); | |
+$filepath = __DIR__ . '/bug77973.xbm'; | |
+file_put_contents($filepath, $contents); | |
+$im = imagecreatefromxbm($filepath); | |
+var_dump($im); | |
+?> | |
+===DONE=== | |
+--EXPECTF-- | |
+Warning: imagecreatefromxbm(): invalid XBM in %s on line %d | |
+ | |
+Warning: imagecreatefromxbm(): '%s' is not a valid XBM file in %s on line %d | |
+bool(false) | |
+===DONE=== | |
+--CLEAN-- | |
+<?php | |
+unlink(__DIR__ . '/bug77973.xbm'); | |
+?> | |
-- | |
2.21.0.windows.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment