From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001 From: Pierre Joye <pierre.php@gmail.com> Date: Tue, 28 Jun 2016 16:23:42 +0700 Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in _gd2GetHeader() resulting in heap overflow --- src/gd_gd2.c | 10 +++++++++- tests/gd2/CMakeLists.txt | 1 + tests/gd2/Makemodule.am | 6 ++++-- tests/gd2/php_bug_72339.c | 21 +++++++++++++++++++++ 4 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 tests/gd2/php_bug_72339.c diff -uNrp libgd-2.2.2.orig/src/gd_gd2.c libgd-2.2.2/src/gd_gd2.c --- libgd-2.2.2.orig/src/gd_gd2.c 2016-06-03 04:34:39.000000000 -0400 +++ libgd-2.2.2/src/gd_gd2.c 2016-06-30 10:36:19.097602113 -0400 @@ -152,10 +152,18 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, i if (gd2_compressed (*fmt)) { nc = (*ncx) * (*ncy); + GD2_DBG (printf ("Reading %d chunk index entries\n", nc)); + if (overflow2(sizeof(t_chunk_info), nc)) { + goto fail1; + } sidx = sizeof (t_chunk_info) * nc; + if (sidx <= 0) { + goto fail1; + } + cidx = gdCalloc (sidx, 1); - if (!cidx) { + if (cidx == NULL) { goto fail1; } for (i = 0; i < nc; i++) { diff -uNrp libgd-2.2.2.orig/tests/gd2/CMakeLists.txt libgd-2.2.2/tests/gd2/CMakeLists.txt --- libgd-2.2.2.orig/tests/gd2/CMakeLists.txt 2016-06-23 22:50:48.000000000 -0400 +++ libgd-2.2.2/tests/gd2/CMakeLists.txt 2016-06-30 10:36:13.457519403 -0400 @@ -2,6 +2,7 @@ SET(TESTS_FILES gd2_empty_file gd2_im2im gd2_null + php_bug_72339 ) ADD_GD_TESTS() diff -uNrp libgd-2.2.2.orig/tests/gd2/Makemodule.am libgd-2.2.2/tests/gd2/Makemodule.am --- libgd-2.2.2.orig/tests/gd2/Makemodule.am 2016-06-03 04:34:39.000000000 -0400 +++ libgd-2.2.2/tests/gd2/Makemodule.am 2016-06-30 10:36:13.457519403 -0400 @@ -3,7 +3,8 @@ libgd_helper_programs += \ gd2/gd2_read_corrupt libgd_test_programs += \ - gd2/gd2_empty_file + gd2/gd2_empty_file \ + gd2/php_bug_72339 TESTS += \ gd2/invalid_header.sh @@ -32,4 +33,5 @@ EXTRA_DIST += \ gd2/invalid_header.gd2 \ gd2/invalid_header.sh \ gd2/invalid_neg_size.gd2 \ - gd2/invalid_neg_size.sh + gd2/invalid_neg_size.sh \ + gd2/php_bug_72339_exp.gd2 diff -uNrp libgd-2.2.2.orig/tests/gd2/php_bug_72339.c libgd-2.2.2/tests/gd2/php_bug_72339.c --- libgd-2.2.2.orig/tests/gd2/php_bug_72339.c 1969-12-31 19:00:00.000000000 -0500 +++ libgd-2.2.2/tests/gd2/php_bug_72339.c 2016-06-30 10:36:19.097602113 -0400 @@ -0,0 +1,21 @@ +#include <stdio.h> +#include <stdlib.h> +#include "gd.h" + +#include "gdtest.h" + +int main() +{ + gdImagePtr im; + FILE *fp; + + fp = gdTestFileOpen("gdimagerotate/php_bug_64898.png"); + im = gdImageCreateFromGd2(fp); + if (im == NULL) { + return 0; + } else { + gdTestErrorMsg("Image should have failed to be loaded"); + return 1; + } + +}