tests bug38112.gif bug38112.phpt

Pierre-Alain Joye Mon, 17 Jul 2006 08:24:09 -0700

pajoye          Mon Jul 17 15:19:16 2006 UTC

  Added files:                 (Branch: PHP_4_4)
    /php-src/ext/gd/tests       bug38112.phpt bug38112.gif


  Modified files:              
    /php-src    NEWS 
    /php-src/ext/gd/libgd       gd_gif_in.c 
  Log:
  - MFH #38112, bad code size segfault
  
  
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.1247.2.920.2.141&r2=1.1247.2.920.2.142&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.1247.2.920.2.141 php-src/NEWS:1.1247.2.920.2.142
--- php-src/NEWS:1.1247.2.920.2.141     Sun Jul 16 10:53:55 2006
+++ php-src/NEWS        Mon Jul 17 15:19:15 2006
@@ -6,6 +6,7 @@
 - Improved safe_mode check for the error_log() function. (Ilia)
 - Fixed handling of extremely long paths inside tempnam() function. (Ilia)
 - Fixed XSS inside phpinfo() with long inputs. (Ilia)
+- Fixed bug #38112 (corrupted gif segfaults) (Pierre)
 - Fixed bug #37720 (merge_php_config scrambles values). (Mike,
   pumuckel at metropolis dot de)
 - Fixed bug #37569 (WDDX incorrectly encodes high-ascii characters). (Ilia)
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.2.2.2.6.2&r2=1.2.2.2.6.3&diff_format=u
Index: php-src/ext/gd/libgd/gd_gif_in.c
diff -u php-src/ext/gd/libgd/gd_gif_in.c:1.2.2.2.6.2 
php-src/ext/gd/libgd/gd_gif_in.c:1.2.2.2.6.3
--- php-src/ext/gd/libgd/gd_gif_in.c:1.2.2.2.6.2        Mon May  8 14:04:39 2006
+++ php-src/ext/gd/libgd/gd_gif_in.c    Mon Jul 17 15:19:16 2006
@@ -216,6 +216,12 @@
        if (!im) {
                return 0;
        }
+
+               if (!im->colorsTotal) {
+                       gdImageDestroy(im);
+                       return 0;
+               }
+
        /* Check for open colors at the end, so
           we can reduce colorsTotal and ultimately
           BitsPerPixel */
@@ -506,6 +512,19 @@
        int             v;
        int             xpos = 0, ypos = 0, pass = 0;
        int i;
+
+          /*
+               **  Initialize the Compression routines
+               */
+          if (! ReadOK(fd,&c,1)) {
+                  return;
+          }
+
+          if (c > MAX_LWZ_BITS) {
+                  return;      
+          }
+
+
        /* Stash the color map into the image */
        for (i=0; (i<gdMaxColors); i++) {
                im->red[i] = cmap[CM_RED][i];   
@@ -515,12 +534,7 @@
        }
        /* Many (perhaps most) of these colors will remain marked open. */
        im->colorsTotal = gdMaxColors;
-       /*
-       **  Initialize the Compression routines
-       */
-       if (! ReadOK(fd,&c,1)) {
-               return; 
-       }
+
        if (LWZReadByte(fd, TRUE, c) < 0) {
                return;
        }

http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/bug38112.phpt?view=markup&rev=1.1
Index: php-src/ext/gd/tests/bug38112.phpt
+++ php-src/ext/gd/tests/bug38112.phpt

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_4_4) / NEWS /ext/gd/libgd gd_gif_in.c /ext/gd/tests bug38112.gif bug38112.phpt

Reply via email to