mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-14 05:49:57 +00:00
Armin Kuster
dc5634968b
CVE-2016-1903 php: Out-of-bounds memory read via gdImageRotateInterpolated Signed-off-by: Armin Kuster <akuster@mvista.com>
56 lines
1.5 KiB
Diff
56 lines
1.5 KiB
Diff
From 4b8394dd78571826ac66a69dc240c623f31d78f8 Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Malyshev <stas@php.net>
|
|
Date: Mon, 7 Dec 2015 23:30:49 -0800
|
|
Subject: [PATCH] Fix bug #70976: fix boundary check on
|
|
gdImageRotateInterpolated
|
|
|
|
Upstream-Status: Backport
|
|
|
|
https://git.php.net/?p=php-src.git;a=commit;h=4b8394dd78571826ac66a69dc240c623f31d78f8
|
|
|
|
CVE: CVE-2016-1903
|
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
|
|
---
|
|
ext/gd/libgd/gd_interpolation.c | 2 +-
|
|
ext/gd/tests/bug70976.phpt | 13 +++++++++++++
|
|
2 files changed, 14 insertions(+), 1 deletion(-)
|
|
create mode 100644 ext/gd/tests/bug70976.phpt
|
|
|
|
diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c
|
|
index f70169d..0f874ac 100644
|
|
--- a/ext/gd/libgd/gd_interpolation.c
|
|
+++ b/ext/gd/libgd/gd_interpolation.c
|
|
@@ -2162,7 +2162,7 @@ gdImagePtr gdImageRotateInterpolated(const gdImagePtr src, const float angle, in
|
|
{
|
|
const int angle_rounded = (int)floor(angle * 100);
|
|
|
|
- if (bgcolor < 0) {
|
|
+ if (bgcolor < 0 || bgcolor >= gdMaxColors) {
|
|
return NULL;
|
|
}
|
|
|
|
diff --git a/ext/gd/tests/bug70976.phpt b/ext/gd/tests/bug70976.phpt
|
|
new file mode 100644
|
|
index 0000000..23af4ee
|
|
--- /dev/null
|
|
+++ b/ext/gd/tests/bug70976.phpt
|
|
@@ -0,0 +1,13 @@
|
|
+--TEST--
|
|
+Bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds)
|
|
+--SKIPIF--
|
|
+<?php
|
|
+ if(!extension_loaded('gd')){ die('skip gd extension not available'); }
|
|
+?>
|
|
+--FILE--
|
|
+<?php
|
|
+$img = imagerotate(imagecreate(1,1),45,0x7ffffff9);
|
|
+var_dump($img);
|
|
+?>
|
|
+--EXPECTF--
|
|
+bool(false)
|
|
\ No newline at end of file
|
|
--
|
|
2.3.5
|
|
|