php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #73869 Signed Integer Overflow gd_io.c
Submitted: 2017-01-05 10:33 UTC Modified: 2017-01-28 23:05 UTC
From: [email protected] Assigned: cmb (profile)
Status: Closed Package: GD related
PHP Version: 5.6.29 OS:
Private report: No CVE-ID: 2016-10168
View Developer Edit
 [2017-01-05 10:33 UTC] [email protected] 
Description:
------------
This is a security sync with GD-2.2

~~~

GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.

Patches

fix-73869 (last revision 2017-01-05 17:00 UTC by [email protected])
0004-Fix-354-Signed-Integer-Overflow-gd_io.c.patch (last revision 2017-01-05 10:33 UTC by ondrej)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-05 17:00 UTC] [email protected] 
The following patch has been added/updated:

Patch Name: fix-73869
Revision:   1483635640
URL:        https://bugs.php.net/patch-display.php?bug=73869&patch=fix-73869&revision=1483635640
 [2017-01-05 17:01 UTC] [email protected] 
fix-73869 adds a respective PHPT, and should be applied against
PHP-5.6.
 [2017-01-05 19:27 UTC] [email protected]
-Assigned To: +Assigned To: cmb
 [2017-01-05 23:08 UTC] [email protected]
-PHP Version: 7.1.0 +PHP Version: 5.6.29
 [2017-01-16 17:08 UTC] [email protected] 
Patch is merged into security repo as 5b5d9db3988b829e0b121b74bb3947f01c2796a1.

Thanks.
 [2017-01-21 16:56 UTC] [email protected]
-Status: Assigned +Status: Closed
 [2017-01-21 16:56 UTC] [email protected] 
The fix has been released with PHP 5.6.30, 7.0.15 and 7.1.1, so
I'm (dis)closing.
 [2017-01-28 23:05 UTC] [email protected]
-CVE-ID: +CVE-ID: 2016-10168
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jun 12 16:01:27 2025 UTC