pajoye Thu Jul 17 22:58:24 2008 UTC
Added files: (Branch: PHP_5_2)
/php-src/ext/gd/tests imageloadfont_invalid.phpt
Modified files:
/php-src/ext/gd gd.c
Log:
- MFB: fix crash when some crafted font are given
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.35&r2=1.312.2.20.2.36&diff_format=u
Index: php-src/ext/gd/gd.c
diff -u php-src/ext/gd/gd.c:1.312.2.20.2.35 php-src/ext/gd/gd.c:1.312.2.20.2.36
--- php-src/ext/gd/gd.c:1.312.2.20.2.35 Sun May 4 21:19:17 2008
+++ php-src/ext/gd/gd.c Thu Jul 17 22:58:23 2008
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: gd.c,v 1.312.2.20.2.35 2008/05/04 21:19:17 colder Exp $ */
+/* $Id: gd.c,v 1.312.2.20.2.36 2008/07/17 22:58:23 pajoye Exp $ */
/* gd 1.2 is copyright 1994, 1995, Quest Protein Database Center,
Cold Spring Harbor Labs. */
@@ -1636,6 +1636,22 @@
font->nchars = FLIPWORD(font->nchars);
body_size = font->w * font->h * font->nchars;
}
+
+ if (overflow2(font->nchars, font->h)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading
font, invalid font header");
+ efree(font);
+ php_stream_close(stream);
+ RETURN_FALSE;
+ }
+ if (overflow2(font->nchars * font->h, font->w )) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading
font, invalid font header");
+ efree(font);
+ php_stream_close(stream);
+ RETURN_FALSE;
+ }
+
+
+
if (body_size != body_size_check) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading
font");
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/imageloadfont_invalid.phpt?view=markup&rev=1.1
Index: php-src/ext/gd/tests/imageloadfont_invalid.phpt
+++ php-src/ext/gd/tests/imageloadfont_invalid.phpt
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
