php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-26 17:38:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

- fix crash when some crafted font are given

Browse Source
This commit is contained in:
Pierre Joye
2008-07-17 18:08:04 +00:00
parent 74cb3c6816
commit 3bebc2f50d
3 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
NEWS
+2
View File
@@ -2,6 +2,8 @@ PHP 4 NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ?? 2008, Version 4.4.9
- Updated PCRE to version 7.7. (Nuno)
- Fixed crash in imageloadfont when an invalid font is given
(discovered by CzechSec, fixed by Pierre)
03 Jan 2008, Version 4.4.8
- Improved fix for MOPB-02-2007. (Ilia)
ext/gd/gd.c
+13
View File
@@ -669,6 +669,19 @@ PHP_FUNCTION(imageloadfont)
body_size = font->w * font->h * font->nchars;
}
if (overflow2(font->nchars, font->h)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
efree(font);
php_stream_close(stream);
RETURN_FALSE;
}
if (overflow2(font->nchars * font->h, font->w )) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
efree(font);
php_stream_close(stream);
RETURN_FALSE;
}
if (body_size != body_size_check) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font");
efree(font);
ext/gd/tests/imageloadfont_invalid.phpt
+26
View File
@@ -0,0 +1,26 @@
--TEST--
imageloadfont() function crashes
--SKIPIF--
<?php
if (!extension_loaded('gd')) die("skip gd extension not available\n");
if (!GD_BUNDLED) die('skip external GD libraries always fail');
?>
--FILE--
<?php
$filename = dirname(__FILE__) . '/font.gdf';
$bin = "\x41\x41\x41\x41\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00";
$fp = fopen($filename, 'wb');
fwrite($fp, $bin);
fclose($fp);
$image = imagecreatetruecolor(50, 20);
$font = imageloadfont($filename);
$black = imagecolorallocate($image, 0, 0, 0);
imagestring($image, $font, 0, 0, "Hello", $black);
?>
--EXPECTF--
Warning: imageloadfont() [%s]: gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
in %simageloadfont_invalid.php on line %d
Warning: imageloadfont() [%s]: Error reading font, invalid font header in %simageloadfont_invalid.php on line %d