Commit: 9480de29db25982c75a7317ba779eec3d3847781 Author: Remi Collet <r...@php.net> Mon, 6 May 2013 10:00:45 +0200 Parents: 4cea61a0fa16fba72e496d72b6c2aa8934d1b032 Branches: PHP-5.5 master
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=9480de29db25982c75a7317ba779eec3d3847781 Log: Revert removal of overflow2 use in gd.c Function provided by gd_security with bundled libgd Function provided by gd_compat with system libgd This fix failed test imageloadfont_invalid.phpt This test now also pass with system libgd Changed paths: M ext/gd/gd.c M ext/gd/gd_compat.c M ext/gd/gd_compat.h M ext/gd/tests/imageloadfont_invalid.phpt Diff: diff --git a/ext/gd/gd.c b/ext/gd/gd.c index d463444..d6d2848 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -57,9 +57,8 @@ # include <X11/xpm.h> #endif -#ifndef HAVE_GD_BUNDLED # include "gd_compat.h" -#endif /* HAVE_GD_BUNDLED */ + static int le_gd, le_gd_font; #if HAVE_LIBT1 @@ -1468,9 +1467,7 @@ PHP_FUNCTION(imageloadfont) body_size = font->w * font->h * font->nchars; } - if ((font->nchars <= 0 || font->h <= 0 || font->w <= 0 ) || \ - (font->nchars > INT_MAX / font->h) || \ - (font->nchars * font->h > INT_MAX / font->w)) { + if (overflow2(font->nchars, font->h) || overflow2(font->nchars * font->h, font->w )) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header"); efree(font); php_stream_close(stream); diff --git a/ext/gd/gd_compat.c b/ext/gd/gd_compat.c index 35b6457..14538d4 100644 --- a/ext/gd/gd_compat.c +++ b/ext/gd/gd_compat.c @@ -10,6 +10,7 @@ #endif #include "gd_compat.h" +#include <TSRM.h> #ifdef HAVE_GD_JPG int gdJpegGetVersionInt() @@ -45,3 +46,18 @@ const char * gdPngGetVersionString() } #endif +int overflow2(int a, int b) +{ + TSRMLS_FETCH(); + + if(a <= 0 || b <= 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully\n"); + return 1; + } + if(a > INT_MAX / b) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n"); + return 1; + } + return 0; +} + diff --git a/ext/gd/gd_compat.h b/ext/gd/gd_compat.h index ea812ea..db757f5 100644 --- a/ext/gd/gd_compat.h +++ b/ext/gd/gd_compat.h @@ -1,8 +1,14 @@ #ifndef GD_COMPAT_H #define GD_COMPAT_H 1 +#ifndef HAVE_GD_BUNDLED +/* from gd_compat.c */ const char * gdPngGetVersionString(); const char * gdJpegGetVersionString(); int gdJpegGetVersionInt(); +#endif + +/* from gd_compat.c of libgd/gd_security.c */ +int overflow2(int a, int b); #endif /* GD_COMPAT_H */ diff --git a/ext/gd/tests/imageloadfont_invalid.phpt b/ext/gd/tests/imageloadfont_invalid.phpt index 07bf150..6cf0e33 100644 --- a/ext/gd/tests/imageloadfont_invalid.phpt +++ b/ext/gd/tests/imageloadfont_invalid.phpt @@ -3,7 +3,6 @@ imageloadfont() function crashes --SKIPIF-- <?php if (!extension_loaded('gd')) die("skip gd extension not available\n"); - if (!GD_BUNDLED) die('skip external GD libraries always fail'); ?> --FILE-- <?php -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
