php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-03 22:22:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix bug #67730 - Null byte injection possible with imagexxx functions

Browse Source
This commit is contained in:
Stanislav Malyshev
2014-08-18 22:49:10 -07:00
parent 529da0f74c
commit 706aefb781
2 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
NEWS
View File

@@ -16,6 +16,8 @@ PHP NEWS
- GD: - GD:
. Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference). . Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference).
(CVE-2014-2497) (Remi) (CVE-2014-2497) (Remi)
. Fixed bug #67730 (Null byte injection possible with imagexxx functions).
(CVE-2014-5120) (Ryan Mauger)
- Milter: - Milter:
. Fixed bug #67715 (php-milter does not build and crashes randomly). (Mike) . Fixed bug #67715 (php-milter does not build and crashes randomly). (Mike)

5
ext/gd/gd_ctx.c
View File

@@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
RETURN_FALSE; RETURN_FALSE;
} }
} else if (Z_TYPE_P(to_zval) == IS_STRING) { } else if (Z_TYPE_P(to_zval) == IS_STRING) {
if (CHECK_ZVAL_NULL_PATH(to_zval)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
RETURN_FALSE;
}
stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL); stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL);
if (stream == NULL) { if (stream == NULL) {
RETURN_FALSE; RETURN_FALSE;