-
Notifications
You must be signed in to change notification settings - Fork 7.9k
Fix GH-16771: imagecreatefromstring overflow on invalid format. #16776
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
I think the patch fixes the overflow (and as such is good as bug fix), but also see Lines 912 to 957 in 7b029a3
That code looks better. According to the WBMP specification (section 6), the first field is a multibyte integer, but the second field is a fixed size integer (8 bit). The code in gd.c assumes that both are MBI. Plus, only Lines 160 to 186 in 7b029a3
So I suggest (maybe for ext/gd/gd.c | 29 ++---------------------------
1 file changed, 2 insertions(+), 27 deletions(-)
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index a2c3e7d0de..938672ccc0 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1358,24 +1358,6 @@ PHP_FUNCTION(imagetypes)
}
/* }}} */
-/* {{{ _php_ctx_getmbi */
-
-static int _php_ctx_getmbi(gdIOCtx *ctx)
-{
- int i, mbi = 0;
-
- do {
- i = (ctx->getC)(ctx);
- if (i < 0) {
- return -1;
- }
- mbi = (mbi << 7) | (i & 0x7f);
- } while (i & 0x80);
-
- return mbi;
-}
-/* }}} */
-
/* {{{ _php_image_type
* Based on ext/standard/image.c
*/
@@ -1413,15 +1395,8 @@ static int _php_image_type(zend_string *data)
}
}
- gdIOCtx *io_ctx;
- io_ctx = gdNewDynamicCtxEx(8, ZSTR_VAL(data), 0);
- if (io_ctx) {
- if (_php_ctx_getmbi(io_ctx) == 0 && _php_ctx_getmbi(io_ctx) >= 0) {
- io_ctx->gd_free(io_ctx);
- return PHP_GDIMG_TYPE_WBM;
- } else {
- io_ctx->gd_free(io_ctx);
- }
+ if (ZSTR_VAL(data)[0] == 0) {
+ return PHP_GDIMG_TYPE_WBM;
}
return -1; |
So I propose we merge it and then I suggest you open a PR for master, wdyt ? |
Sounds good! |
No description provided.