GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.
(cherry picked from commit 5b5d9db3988b829e0b121b74bb3947f01c2796a1)
We must not pretend that there are image data if there are none. Instead
we fail reading the image file gracefully.
(cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab)
php_check_open_basedir() expects a local filesystem path,
but we're handing it a `glob://...` URI instead.
Move the check to after the path trim so that we're checking
a meaningful pathspec.
* PHP-5.6.30:
Fix bug #73737 FPE when parsing a tag format
Fix bug #73773 - Seg fault when loading hostile phar
Fix bug #73825 - Heap out of bounds read on unserialize in finish_nested_data()
Fix bug #73768 - Memory corruption when loading hostile phar
Fix int overflows in phar (bug #73764)
This reverts commit eb570294a2.
That commit caused a regression, so it's probably best to revert it, and
to tackle the issue for the next minor release.
Simplify some unnecessarily complicated code. In particular the
length updates are unnecessary (length is only used at the very
start) and we're goto'ing around a bit too much.
The E_WARNING message from the PHP function lchown is passed
from the system function lchown. The error message returned
from lchown can be filesystem dependent.
Calling sqlite3_reset() when a result set object is freed can cause
undesired and maybe even hard to track interference with other result
sets. Furthermore, there is no need to call sqlite3_reset(), because
that is implicitly called on SQLite3Stmt::execute(), and users are
encouraged to explicitly call either SQLite3Result::finalize() or
SQLite3Stmt::reset() anyway.
Christoph M. Becker