php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-31 20:53:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-5.5' into PHP-5.6

Browse Source 
* PHP-5.5:
  Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop())
This commit is contained in:
Remi Collet
2013-12-28 14:26:06 +01:00
parent c8dedaf2dc 8f4a5373bb
commit 46809869a3
2 changed files with 52 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
ext/gd/libgd/gd_crop.c
View File

@@ -44,6 +44,12 @@ gdImagePtr gdImageCrop(gdImagePtr src, const gdRectPtr crop)
{
gdImagePtr dst;
/* check size */
if (crop->width<=0 || crop->height<=0) {
return NULL;
}
/* allocate the requested size (could be only partially filled) */
if (src->trueColor) {
dst = gdImageCreateTrueColor(crop->width, crop->height);
gdImageSaveAlpha(dst, 1);
@@ -51,37 +57,43 @@ gdImagePtr gdImageCrop(gdImagePtr src, const gdRectPtr crop)
dst = gdImageCreate(crop->width, crop->height);
gdImagePaletteCopy(dst, src);
}
if (dst == NULL) {
return NULL;
}
dst->transparent = src->transparent;
if (src->sx < (crop->x + crop->width -1)) {
crop->width = src->sx - crop->x + 1;
/* check position in the src image */
if (crop->x < 0 || crop->x>=src->sx || crop->y<0 || crop->y>=src->sy) {
return dst;
}
if (src->sy < (crop->y + crop->height -1)) {
crop->height = src->sy - crop->y + 1;
/* reduce size if needed */
if ((src->sx - crop->width) < crop->x) {
crop->width = src->sx - crop->x;
}
if ((src->sy - crop->height) < crop->y) {
crop->height = src->sy - crop->y;
}
#if 0
printf("rect->x: %i\nrect->y: %i\nrect->width: %i\nrect->height: %i\n", crop->x, crop->y, crop->width, crop->height);
#endif
if (dst == NULL) {
return NULL;
int y = crop->y;
if (src->trueColor) {
unsigned int dst_y = 0;
while (y < (crop->y + (crop->height - 1))) {
/* TODO: replace 4 w/byte per channel||pitch once available */
memcpy(dst->tpixels[dst_y++], src->tpixels[y++] + crop->x, crop->width * 4);
}
} else {
int y = crop->y;
if (src->trueColor) {
unsigned int dst_y = 0;
while (y < (crop->y + (crop->height - 1))) {
/* TODO: replace 4 w/byte per channel||pitch once available */
memcpy(dst->tpixels[dst_y++], src->tpixels[y++] + crop->x, crop->width * 4);
}
} else {
int x;
for (y = crop->y; y < (crop->y + (crop->height - 1)); y++) {
for (x = crop->x; x < (crop->x + (crop->width - 1)); x++) {
dst->pixels[y - crop->y][x - crop->x] = src->pixels[y][x];
}
int x;
for (y = crop->y; y < (crop->y + (crop->height - 1)); y++) {
for (x = crop->x; x < (crop->x + (crop->width - 1)); x++) {
dst->pixels[y - crop->y][x - crop->x] = src->pixels[y][x];
}
}
return dst;
}
return dst;
}
/**

22
ext/gd/tests/bug66356.phpt
View File

@@ -7,12 +7,27 @@ Bug #66356 (Heap Overflow Vulnerability in imagecrop())
--FILE--
<?php
$img = imagecreatetruecolor(10, 10);
$img = imagecrop($img, array("x" => "a", "y" => 0, "width" => 10, "height" => 10));
// POC #1
var_dump(imagecrop($img, array("x" => "a", "y" => 0, "width" => 10, "height" => 10)));
$arr = array("x" => "a", "y" => "12b", "width" => 10, "height" => 10);
$img = imagecrop($img, $arr);
var_dump(imagecrop($img, $arr));
print_r($arr);
// POC #2
var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => -1, "height" => 10)));
// POC #3
var_dump(imagecrop($img, array("x" => -20, "y" => -20, "width" => 10, "height" => 10)));
// POC #4
var_dump(imagecrop($img, array("x" => 0x7fffff00, "y" => 0, "width" => 10, "height" => 10)));
?>
--EXPECTF--
resource(%d) of type (gd)
resource(%d) of type (gd)
Array
(
[x] => a
@@ -20,3 +35,6 @@ Array
[width] => 10
[height] => 10
)
bool(false)
resource(%d) of type (gd)
resource(%d) of type (gd)