tests imageloadfont_invalid.phpt

Pierre-Alain Joye Thu, 17 Jul 2008 16:29:37 -0700

pajoye          Thu Jul 17 23:28:11 2008 UTC

  Modified files:              
    /php-src/ext/gd     gd.c 
    /php-src/ext/gd/tests       imageloadfont_invalid.phpt 
  Log:
  - MFB: fix crash when some crafted font are given
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.389&r2=1.390&diff_format=u
Index: php-src/ext/gd/gd.c
diff -u php-src/ext/gd/gd.c:1.389 php-src/ext/gd/gd.c:1.390
--- php-src/ext/gd/gd.c:1.389   Mon Jul  7 08:40:04 2008
+++ php-src/ext/gd/gd.c Thu Jul 17 23:28:11 2008
@@ -18,7 +18,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: gd.c,v 1.389 2008/07/07 08:40:04 pajoye Exp $ */
+/* $Id: gd.c,v 1.390 2008/07/17 23:28:11 pajoye Exp $ */
 
 /* gd 1.2 is copyright 1994, 1995, Quest Protein Database Center,
    Cold Spring Harbor Labs. */
@@ -1483,6 +1483,19 @@
                body_size = font->w * font->h * font->nchars;
        }
 
+       if (overflow2(font->nchars, font->h)) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading 
font, invalid font header");
+               efree(font);
+               php_stream_close(stream);
+               RETURN_FALSE;
+       }
+       if (overflow2(font->nchars * font->h, font->w )) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading 
font, invalid font header");
+               efree(font);
+               php_stream_close(stream);
+               RETURN_FALSE;
+       }
+
        if (body_size != body_size_check) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading 
font");
                efree(font);
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/imageloadfont_invalid.phpt?r1=1.1&r2=1.2&diff_format=u
Index: php-src/ext/gd/tests/imageloadfont_invalid.phpt
diff -u /dev/null php-src/ext/gd/tests/imageloadfont_invalid.phpt:1.2
--- /dev/null   Thu Jul 17 23:28:11 2008
+++ php-src/ext/gd/tests/imageloadfont_invalid.phpt     Thu Jul 17 23:28:11 2008
@@ -0,0 +1,25 @@
+--TEST--
+imageloadfont() function crashes
+--SKIPIF--
+<?php 
+       if (!extension_loaded('gd')) die("skip gd extension not available\n"); 
+       if (!GD_BUNDLED) die('skip external GD libraries always fail');
+?>
+--FILE--
+<?php
+$filename = dirname(__FILE__) .  '/font.gdf';
+$bin = "\x41\x41\x41\x41\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00";
+$fp = fopen($filename, 'wb');
+fwrite($fp, $bin);
+fclose($fp);
+
+$image = imagecreatetruecolor(50, 20);
+$font = imageloadfont($filename);
+$black = imagecolorallocate($image, 0, 0, 0);
+imagestring($image, $font, 0, 0, "Hello", $black);
+?>
+--EXPECTF--
+Warning: imageloadfont(): gd warning: product of memory allocation 
multiplication would exceed INT_MAX, failing operation gracefully
+ in %simageloadfont_invalid.php on line %d
+
+Warning: imageloadfont(): Error reading font, invalid font header in 
%simageloadfont_invalid.php on line %d




-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src /ext/gd gd.c /ext/gd/tests imageloadfont_invalid.phpt

Reply via email to