Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx()

We must not pretend that there are image data if there are none. Instead we fail reading the image file gracefully. (cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab)
ideal · Jan 17, 2017 · f1b2afc · f1b2afc
1 parent 6477bb7
commit f1b2afc
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 2 deletions.
diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
@@ -340,12 +340,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
 					for (x = xlo; x < xhi; x++) {
 						if (im->trueColor) {
 							if (!gdGetInt(&im->tpixels[y][x], in)) {
-								im->tpixels[y][x] = 0;
+								php_gd_error("gd2: EOF while reading\n");
+								gdImageDestroy(im);
+								return NULL;
 							}
 						} else {
 							int ch;
 							if (!gdGetByte(&ch, in)) {
-								ch = 0;
+								php_gd_error("gd2: EOF while reading\n");
+								gdImageDestroy(im);
+								return NULL;
 							}
 							im->pixels[y][x] = ch;
 						}

diff --git a/ext/gd/tests/bug73868.gd2 b/ext/gd/tests/bug73868.gd2
diff --git a/ext/gd/tests/bug73868.phpt b/ext/gd/tests/bug73868.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug 73868 (DOS vulnerability in gdImageCreateFromGd2Ctx())
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73868.gd2'));
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromgd2(): gd2: EOF while reading
+ in %s on line %d
+
+Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
+bool(false)
+===DONE===