pajoye Thu Jul 17 23:28:11 2008 UTC Modified files: /php-src/ext/gd gd.c /php-src/ext/gd/tests imageloadfont_invalid.phpt Log: - MFB: fix crash when some crafted font are given http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.389&r2=1.390&diff_format=u Index: php-src/ext/gd/gd.c diff -u php-src/ext/gd/gd.c:1.389 php-src/ext/gd/gd.c:1.390 --- php-src/ext/gd/gd.c:1.389 Mon Jul 7 08:40:04 2008 +++ php-src/ext/gd/gd.c Thu Jul 17 23:28:11 2008 @@ -18,7 +18,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: gd.c,v 1.389 2008/07/07 08:40:04 pajoye Exp $ */ +/* $Id: gd.c,v 1.390 2008/07/17 23:28:11 pajoye Exp $ */ /* gd 1.2 is copyright 1994, 1995, Quest Protein Database Center, Cold Spring Harbor Labs. */ @@ -1483,6 +1483,19 @@ body_size = font->w * font->h * font->nchars; } + if (overflow2(font->nchars, font->h)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header"); + efree(font); + php_stream_close(stream); + RETURN_FALSE; + } + if (overflow2(font->nchars * font->h, font->w )) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header"); + efree(font); + php_stream_close(stream); + RETURN_FALSE; + } + if (body_size != body_size_check) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font"); efree(font); http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/imageloadfont_invalid.phpt?r1=1.1&r2=1.2&diff_format=u Index: php-src/ext/gd/tests/imageloadfont_invalid.phpt diff -u /dev/null php-src/ext/gd/tests/imageloadfont_invalid.phpt:1.2 --- /dev/null Thu Jul 17 23:28:11 2008 +++ php-src/ext/gd/tests/imageloadfont_invalid.phpt Thu Jul 17 23:28:11 2008 @@ -0,0 +1,25 @@ +--TEST-- +imageloadfont() function crashes +--SKIPIF-- +<?php + if (!extension_loaded('gd')) die("skip gd extension not available\n"); + if (!GD_BUNDLED) die('skip external GD libraries always fail'); +?> +--FILE-- +<?php +$filename = dirname(__FILE__) . '/font.gdf'; +$bin = "\x41\x41\x41\x41\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00"; +$fp = fopen($filename, 'wb'); +fwrite($fp, $bin); +fclose($fp); + +$image = imagecreatetruecolor(50, 20); +$font = imageloadfont($filename); +$black = imagecolorallocate($image, 0, 0, 0); +imagestring($image, $font, 0, 0, "Hello", $black); +?> +--EXPECTF-- +Warning: imageloadfont(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully + in %simageloadfont_invalid.php on line %d + +Warning: imageloadfont(): Error reading font, invalid font header in %simageloadfont_invalid.php on line %d
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php