From feb586e60a2ecde4a8c8ae9b64761eb6343d1ade Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Tue, 18 Oct 2022 12:13:16 +0200 Subject: [PATCH] Fix #81739: OOB read due to insufficient validation in imageloadfont() If we swap the byte order of the relevant header bytes, we need to make sure again that the following multiplication does not overflow. --- ext/gd/gd.c | 7 +++++++ ext/gd/tests/bug81739.phpt | 24 ++++++++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 ext/gd/tests/bug81739.phpt diff --git a/ext/gd/gd.c b/ext/gd/gd.c index 336ddef9c6b..2e7ba79faf7 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -686,6 +686,12 @@ PHP_FUNCTION(imageloadfont) font->w = FLIPWORD(font->w); font->h = FLIPWORD(font->h); font->nchars = FLIPWORD(font->nchars); + if (overflow2(font->nchars, font->h) || overflow2(font->nchars * font->h, font->w )) { + php_error_docref(NULL, E_WARNING, "Error reading font, invalid font header"); + efree(font); + php_stream_close(stream); + RETURN_FALSE; + } body_size = font->w * font->h * font->nchars; } @@ -696,6 +702,7 @@ PHP_FUNCTION(imageloadfont) RETURN_FALSE; } + ZEND_ASSERT(body_size > 0); font->data = emalloc(body_size); b = 0; while (b < body_size && (n = php_stream_read(stream, &font->data[b], body_size - b)) > 0) { diff --git a/ext/gd/tests/bug81739.phpt b/ext/gd/tests/bug81739.phpt new file mode 100644 index 00000000000..cc2a90381ba --- /dev/null +++ b/ext/gd/tests/bug81739.phpt @@ -0,0 +1,24 @@ +--TEST-- +Bug #81739 (OOB read due to insufficient validation in imageloadfont()) +--SKIPIF-- + +--FILE-- + +--CLEAN-- + +--EXPECTF-- +Warning: imageloadfont(): %croduct of memory allocation multiplication would exceed INT_MAX, failing operation gracefully + in %s on line %d + +Warning: imageloadfont(): Error reading font, invalid font header in %s on line %d +bool(false) \ No newline at end of file