-
-
Save cmb69/7155d511152bdf40a0b2c0105c65e905 to your computer and use it in GitHub Desktop.
Fix for PHP bug #81739
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 44c528b35be125f5ba747b1902df79915d9b663d Mon Sep 17 00:00:00 2001 | |
From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
Date: Tue, 18 Oct 2022 12:13:16 +0200 | |
Subject: [PATCH] Fix #81739: OOB read due to insufficient validation in | |
imageloadfont() | |
If we swap the byte order of the relevant header bytes, we need to make | |
sure again that the following multiplication does not overflow. | |
--- | |
ext/gd/gd.c | 7 +++++++ | |
ext/gd/tests/bug81739.phpt | 24 ++++++++++++++++++++++++ | |
2 files changed, 31 insertions(+) | |
create mode 100644 ext/gd/tests/bug81739.phpt | |
diff --git a/ext/gd/gd.c b/ext/gd/gd.c | |
index 336a739692..fde93bba49 100644 | |
--- a/ext/gd/gd.c | |
+++ b/ext/gd/gd.c | |
@@ -1485,6 +1485,12 @@ PHP_FUNCTION(imageloadfont) | |
font->w = FLIPWORD(font->w); | |
font->h = FLIPWORD(font->h); | |
font->nchars = FLIPWORD(font->nchars); | |
+ if (overflow2(font->nchars, font->h) || overflow2(font->nchars * font->h, font->w )) { | |
+ php_error_docref(NULL, E_WARNING, "Error reading font, invalid font header"); | |
+ efree(font); | |
+ php_stream_close(stream); | |
+ RETURN_FALSE; | |
+ } | |
body_size = font->w * font->h * font->nchars; | |
} | |
@@ -1495,6 +1501,7 @@ PHP_FUNCTION(imageloadfont) | |
RETURN_FALSE; | |
} | |
+ ZEND_ASSERT(body_size > 0); | |
font->data = emalloc(body_size); | |
b = 0; | |
while (b < body_size && (n = php_stream_read(stream, &font->data[b], body_size - b)) > 0) { | |
diff --git a/ext/gd/tests/bug81739.phpt b/ext/gd/tests/bug81739.phpt | |
new file mode 100644 | |
index 0000000000..cc2a90381b | |
--- /dev/null | |
+++ b/ext/gd/tests/bug81739.phpt | |
@@ -0,0 +1,24 @@ | |
+--TEST-- | |
+Bug #81739 (OOB read due to insufficient validation in imageloadfont()) | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded("gd")) die("skip gd extension not available"); | |
+?> | |
+--FILE-- | |
+<?php | |
+$s = fopen(__DIR__ . "/font.font", "w"); | |
+// header without character data | |
+fwrite($s, "\x01\x00\x00\x00\x20\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00"); | |
+fclose($s); | |
+var_dump(imageloadfont(__DIR__ . "/font.font")); | |
+?> | |
+--CLEAN-- | |
+<?php | |
+@unlink(__DIR__ . "/font.font"); | |
+?> | |
+--EXPECTF-- | |
+Warning: imageloadfont(): %croduct of memory allocation multiplication would exceed INT_MAX, failing operation gracefully | |
+ in %s on line %d | |
+ | |
+Warning: imageloadfont(): Error reading font, invalid font header in %s on line %d | |
+bool(false) | |
\ No newline at end of file | |
-- | |
2.38.0.windows.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment