pajoye Wed May 16 22:19:08 2007 UTC
Added files: (Branch: PHP_5_2)
/php-src/ext/gd/tests libgd00086.phpt libgd00086.png
Modified files:
/php-src NEWS
/php-src/ext/gd/libgd gd_png.c
Log:
- MFH: libgd #86: Fixed possible infinite loop in libgd/gd_png.c
(Reported by Xavier Roche)
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.711&r2=1.2027.2.547.2.712&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.711 php-src/NEWS:1.2027.2.547.2.712
--- php-src/NEWS:1.2027.2.547.2.711 Wed May 16 21:22:12 2007
+++ php-src/NEWS Wed May 16 22:19:07 2007
@@ -8,6 +8,8 @@
altered at run time. (Scott)
- Allow SOAP extension's handler() to work even when
always_populate_raw_post_data is off. (Ilia)
+- Fixed possible infinite loop in imagepng (libgd #86) (by Xavier Roche)
+ (Pierre)
- Fixed ext/filter Email Validation Vulnerability (MOPB-24 by Stefan Esser)
(Ilia)
- Fixed altering $this via argument named "this". (Dmitry)
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_png.c?r1=1.17.4.2.2.4&r2=1.17.4.2.2.5&diff_format=u
Index: php-src/ext/gd/libgd/gd_png.c
diff -u php-src/ext/gd/libgd/gd_png.c:1.17.4.2.2.4
php-src/ext/gd/libgd/gd_png.c:1.17.4.2.2.5
--- php-src/ext/gd/libgd/gd_png.c:1.17.4.2.2.4 Sun Dec 10 01:38:01 2006
+++ php-src/ext/gd/libgd/gd_png.c Wed May 16 22:19:08 2007
@@ -71,7 +71,11 @@
static void gdPngReadData (png_structp png_ptr, png_bytep data, png_size_t
length)
{
- gdGetBuf(data, length, (gdIOCtx *) png_get_io_ptr(png_ptr));
+ int check;
+ check = gdGetBuf(data, length, (gdIOCtx *) png_get_io_ptr(png_ptr));
+ if (check != length) {
+ png_error(png_ptr, "Read Error: truncated data");
+ }
}
static void gdPngWriteData (png_structp png_ptr, png_bytep data, png_size_t
length)
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/libgd00086.phpt?view=markup&rev=1.1
Index: php-src/ext/gd/tests/libgd00086.phpt
+++ php-src/ext/gd/tests/libgd00086.phpt
--TEST--
Bug #39780 (PNG image with CRC/data error raises a fatal error)
--SKIPIF--
<?php
if (!extension_loaded('gd')) die("skip gd extension not available\n");
if (!GD_BUNDLED) die('skip external GD libraries always fail');
?>
--FILE--
<?php
$im = imagecreatefrompng(dirname(__FILE__) . '/libgd00086.png');
var_dump($im);
?>
--EXPECTF--
Warning: imagecreatefrompng(): gd-png: fatal libpng error: Read Error:
truncated data in %s on line %d
Warning: imagecreatefrompng(): gd-png error: setjmp returns error condition in
%s on line %d
Warning: imagecreatefrompng(): '%s' is not a valid PNG file in %s on line %d
bool(false)
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
![[PHP-CVS] cvs: php-src(PHP_5_2) / NEWS /ext/gd/libgd gd_png.c /ext/gd/tests libgd00086.phpt libgd00086.png](/search?l=php-cvs@lists.php.net&q=subject:%22%5C%5BPHP%5C-CVS%5C%5D+cvs%5C%3A+php%5C-src%5C%28PHP_5_2%5C%29+%5C%2F+NEWS++%5C%2Fext%5C%2Fgd%5C%2Flibgd+gd_png.c++%5C%2Fext%5C%2Fgd%5C%2Ftests+libgd00086.phpt+libgd00086.png%22&o=newest){kind=link}
