pajoye          Thu Jul 17 18:08:05 2008 UTC

  Added files:                 (Branch: PHP_4_4)
    /php-src/ext/gd/tests       imageloadfont_invalid.phpt 

  Modified files:              
    /php-src    NEWS 
    /php-src/ext/gd     gd.c 
  Log:
  - fix crash when some crafted font are given
  
  
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.1247.2.920.2.248&r2=1.1247.2.920.2.249&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.1247.2.920.2.248 php-src/NEWS:1.1247.2.920.2.249
--- php-src/NEWS:1.1247.2.920.2.248     Thu Jul 17 14:27:52 2008
+++ php-src/NEWS        Thu Jul 17 18:08:04 2008
@@ -2,6 +2,8 @@
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ?? 2008, Version 4.4.9
 - Updated PCRE to version 7.7. (Nuno)
+- Fixed crash in imageloadfont when an invalid font is given
+  (discovered by CzechSec, fixed by Pierre)
 
 03 Jan 2008, Version 4.4.8
 - Improved fix for MOPB-02-2007. (Ilia)
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.221.2.56.2.6&r2=1.221.2.56.2.7&diff_format=u
Index: php-src/ext/gd/gd.c
diff -u php-src/ext/gd/gd.c:1.221.2.56.2.6 php-src/ext/gd/gd.c:1.221.2.56.2.7
--- php-src/ext/gd/gd.c:1.221.2.56.2.6  Mon Dec 31 07:22:47 2007
+++ php-src/ext/gd/gd.c Thu Jul 17 18:08:04 2008
@@ -18,7 +18,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: gd.c,v 1.221.2.56.2.6 2007/12/31 07:22:47 sebastian Exp $ */
+/* $Id: gd.c,v 1.221.2.56.2.7 2008/07/17 18:08:04 pajoye Exp $ */
 
 /* gd 1.2 is copyright 1994, 1995, Quest Protein Database Center, 
    Cold Spring Harbor Labs. */
@@ -669,6 +669,19 @@
                body_size = font->w * font->h * font->nchars;
        }
 
+       if (overflow2(font->nchars, font->h)) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading 
font, invalid font header");
+               efree(font);
+               php_stream_close(stream);
+               RETURN_FALSE;
+       }
+       if (overflow2(font->nchars * font->h, font->w )) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading 
font, invalid font header");
+               efree(font);
+               php_stream_close(stream);
+               RETURN_FALSE;
+       }
+
        if (body_size != body_size_check) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading 
font");
                efree(font);

http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/imageloadfont_invalid.phpt?view=markup&rev=1.1
Index: php-src/ext/gd/tests/imageloadfont_invalid.phpt
+++ php-src/ext/gd/tests/imageloadfont_invalid.phpt



-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to