Merge branch 'PHP-7.0' into PHP-7.1

* PHP-7.0: Fix #73549: Use after free when stream is passed to imagepng
Metabolix · Nov 27, 2016 · 8cc4253 · 8cc4253
2 parents 02cecc0 + 1cb58ea
commit 8cc4253
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
@@ -57,6 +57,16 @@ static int _php_image_stream_putbuf(struct gdIOCtx *ctx, const void* buf, int l)
 } /* }}} */
 
 static void _php_image_stream_ctxfree(struct gdIOCtx *ctx) /* {{{ */
+{
+	if(ctx->data) {
+		ctx->data = NULL;
+	}
+	if(ctx) {
+		efree(ctx);
+	}
+} /* }}} */
+
+static void _php_image_stream_ctxfreeandclose(struct gdIOCtx *ctx) /* {{{ */
 {
 
 	if(ctx->data) {
@@ -82,6 +92,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
 	gdIOCtx *ctx = NULL;
 	zval *to_zval = NULL;
 	php_stream *stream;
+	int close_stream = 1;
 
 	/* The third (quality) parameter for Wbmp stands for the threshold when called from image2wbmp().
 	 * The third (quality) parameter for Wbmp and Xbm stands for the foreground color index when called
@@ -120,6 +131,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
 			if (stream == NULL) {
 				RETURN_FALSE;
 			}
+			close_stream = 0;
 		} else if (Z_TYPE_P(to_zval) == IS_STRING) {
 			if (CHECK_ZVAL_NULL_PATH(to_zval)) {
 				php_error_docref(NULL, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
@@ -156,7 +168,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
 		ctx = emalloc(sizeof(gdIOCtx));
 		ctx->putC = _php_image_stream_putc;
 		ctx->putBuf = _php_image_stream_putbuf;
-		ctx->gd_free = _php_image_stream_ctxfree;
+		if (close_stream) {
+			ctx->gd_free = _php_image_stream_ctxfreeandclose;
+		} else {
+			ctx->gd_free = _php_image_stream_ctxfree;
+		}
 		ctx->data = (void *)stream;
 	}
 

diff --git a/ext/gd/tests/bug73549.phpt b/ext/gd/tests/bug73549.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #73549 (Use after free when stream is passed to imagepng)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$stream = fopen(__DIR__ . DIRECTORY_SEPARATOR . 'bug73549.png', 'w');
+$im = imagecreatetruecolor(8, 8);
+var_dump(imagepng($im, $stream));
+var_dump($stream);
+?>
+===DONE===
+--EXPECTF--
+bool(true)
+resource(%d) of type (stream)
+===DONE===
+--CLEAN--
+<?php
+unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug73549.png');
+?>