iliaa Wed, 08 Dec 2010 22:30:12 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=306097
Log: Fixed bug #53492 (fix crash if anti-aliasing steps are invalid). Bug: http://bugs.php.net/53492 (Closed) Stack buffer overflow in imagepstext Changed paths: U php/php-src/branches/PHP_5_2/NEWS U php/php-src/branches/PHP_5_2/ext/gd/gd.c Modified: php/php-src/branches/PHP_5_2/NEWS =================================================================== --- php/php-src/branches/PHP_5_2/NEWS 2010-12-08 22:07:40 UTC (rev 306096) +++ php/php-src/branches/PHP_5_2/NEWS 2010-12-08 22:30:12 UTC (rev 306097) @@ -1,21 +1,18 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -?? ??? 2010, PHP 5.2.15 - -02 Dec 2010, PHP 5.2.15RC2 +09 Dec 2010, PHP 5.2.15 - Fixed extract() to do not overwrite $GLOBALS and $this when using - EXTR_OVERWRITE. (jorto at redhat dot com) - -18 Nov 2010, PHP 5.2.15RC1 + EXTR_OVERWRITE. (jorto at redhat dot com) - Fixed crash in zip extract method (possible CWE-170). (Maksymilian Arciemowicz, Pierre) - Fixed a possible double free in imap extension (Identified by Mateusz Kocielski). (CVE-2010-4150). (Ilia) - Fixed possible flaw in open_basedir (CVE-2010-3436). (Pierre) - Fixed possible crash in mssql_fetch_batch(). (Kalle) - - Fixed NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709). (Maksymilian Arciemowicz) + +- Fixed bug #53492 (fix crash if anti-aliasing steps are invalid). (Pierre) - Fixed bug #53323 (pdo_firebird getAttribute() crash). (preeves at ibphoenix dot com) - Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with Modified: php/php-src/branches/PHP_5_2/ext/gd/gd.c =================================================================== --- php/php-src/branches/PHP_5_2/ext/gd/gd.c 2010-12-08 22:07:40 UTC (rev 306096) +++ php/php-src/branches/PHP_5_2/ext/gd/gd.c 2010-12-08 22:30:12 UTC (rev 306097) @@ -4593,6 +4593,11 @@ return; } + if (aa_steps != 4 || aa_steps != 16) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "AA steps must be 4 or 16"); + RETURN_FALSE; + } + ZEND_FETCH_RESOURCE(bg_img, gdImagePtr, &img, -1, "Image", le_gd); ZEND_FETCH_RESOURCE(f_ind, int *, &fnt, -1, "Type 1 font", le_ps_font);
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php