pajoye Wed May 16 22:54:11 2007 UTC
Modified files: (Branch: PHP_4_4)
/php-src NEWS
/php-src/ext/gd/libgd gd_png.c
Log:
- MFH: libgd #86: Fixed possible infinite loop in libgd/gd_png.c, fix test
(Reported by Xavier Roche)
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.1247.2.920.2.227&r2=1.1247.2.920.2.228&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.1247.2.920.2.227 php-src/NEWS:1.1247.2.920.2.228
--- php-src/NEWS:1.1247.2.920.2.227 Tue May 8 18:00:37 2007
+++ php-src/NEWS Wed May 16 22:54:11 2007
@@ -4,6 +4,8 @@
- Fixed bug #38798 (OpenSSL init corrected in php5 but not in php4). (Tony)
04 May 2007, Version 4.4.7
+- Fixed libgd #86 (Fixed possible infinite loop in imagecreatefrompng)
+ (Reported by Xavier Roche) (Pierre)
- Fixed MOPB-33-2007 (PHP mail() Message ASCIIZ Byte Truncation). (Ilia)
- Fixed MOPB-32-2007 (Double free inside session_decode()). (Ilia)
- Fixed MOPB-26-2007 (mb_parse_str() can be used to activate
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_png.c?r1=1.4.2.7&r2=1.4.2.7.4.1&diff_format=u
Index: php-src/ext/gd/libgd/gd_png.c
diff -u php-src/ext/gd/libgd/gd_png.c:1.4.2.7
php-src/ext/gd/libgd/gd_png.c:1.4.2.7.4.1
--- php-src/ext/gd/libgd/gd_png.c:1.4.2.7 Mon Mar 29 18:21:00 2004
+++ php-src/ext/gd/libgd/gd_png.c Wed May 16 22:54:11 2007
@@ -71,7 +71,11 @@
static void gdPngReadData (png_structp png_ptr, png_bytep data, png_size_t
length)
{
- gdGetBuf(data, length, (gdIOCtx *) png_get_io_ptr(png_ptr));
+ int check;
+ check = gdGetBuf(data, length, (gdIOCtx *) png_get_io_ptr(png_ptr));
+ if (check != length) {
+ png_error(png_ptr, "Read Error: truncated data");
+ }
}
static void gdPngWriteData (png_structp png_ptr, png_bytep data, png_size_t
length)
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
