mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity

php: Security fix CVE-2016-1903

Browse Source 
CVE-2016-1903 php: Out-of-bounds memory read via gdImageRotateInterpolated

Signed-off-by: Armin Kuster <akuster@mvista.com>
This commit is contained in:
Armin Kuster
2016-02-01 08:31:05 -08:00
committed by Martin Jansa
parent 889258fd3a
commit dc5634968b
2 changed files with 56 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-devtools/php/php-5.6.12/CVE-2016-1903.patch
+55
View File
@@ -0,0 +1,55 @@
From 4b8394dd78571826ac66a69dc240c623f31d78f8 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 7 Dec 2015 23:30:49 -0800
Subject: [PATCH] Fix bug #70976: fix boundary check on
gdImageRotateInterpolated
Upstream-Status: Backport
https://git.php.net/?p=php-src.git;a=commit;h=4b8394dd78571826ac66a69dc240c623f31d78f8
CVE: CVE-2016-1903
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
ext/gd/libgd/gd_interpolation.c | 2 +-
ext/gd/tests/bug70976.phpt | 13 +++++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
create mode 100644 ext/gd/tests/bug70976.phpt
diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c
index f70169d..0f874ac 100644
--- a/ext/gd/libgd/gd_interpolation.c
+++ b/ext/gd/libgd/gd_interpolation.c
@@ -2162,7 +2162,7 @@ gdImagePtr gdImageRotateInterpolated(const gdImagePtr src, const float angle, in
{
const int angle_rounded = (int)floor(angle * 100);
- if (bgcolor < 0) {
+ if (bgcolor < 0 || bgcolor >= gdMaxColors) {
return NULL;
}
diff --git a/ext/gd/tests/bug70976.phpt b/ext/gd/tests/bug70976.phpt
new file mode 100644
index 0000000..23af4ee
--- /dev/null
+++ b/ext/gd/tests/bug70976.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds)
+--SKIPIF--
+<?php
+ if(!extension_loaded('gd')){ die('skip gd extension not available'); }
+?>
+--FILE--
+<?php
+$img = imagerotate(imagecreate(1,1),45,0x7ffffff9);
+var_dump($img);
+?>
+--EXPECTF--
+bool(false)
\ No newline at end of file
--
2.3.5
meta-oe/recipes-devtools/php/php_5.6.12.bb
+1
View File
@@ -3,6 +3,7 @@ require php.inc
SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \
file://CVE-2015-7803.patch \
file://CVE-2015-7804.patch \
file://CVE-2016-1903.patch \
"
SRC_URI[md5sum] = "4578dee9d979114610a444bee263ed9b"
SRC_URI[sha256sum] = "6f27104272af7b2a996f85e4100fac627630fbdaf39d7bd263f16cf529c8853a"