Merge branch 'PHP-7.4'

* PHP-7.4: Update NEWS Fix bug #78069 - Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow Fix #77973: Uninitialized read in gdImageCreateFromXbm
2024-11-28 04:14:26 +08:00 · 2019-05-27 16:49:37 -07:00 · 2019-05-27 16:49:37 -07:00 · 12d68d0272
commit 12d68d0272
parent 8a11f3b166 5e3dc08826
5 changed files with 49 additions and 2 deletions
--- a/ext/gd/libgd/gd_xbm.c
+++ b/ext/gd/libgd/gd_xbm.c
@ -136,7 +136,11 @@ gdImagePtr gdImageCreateFromXbm(FILE * fd)
 			}
 			h[3] = ch;
 		}
-		sscanf(h, "%x", &b);
+		if (sscanf(h, "%x", &b) != 1) {
+			php_gd_error("invalid XBM");
+			gdImageDestroy(im);
+			return 0;
+		}
 		for (bit = 1; bit <= max_bit; bit = bit << 1) {
 			gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);
 			if (x == im->sx) {
--- a/ext/gd/tests/bug77973.phpt
+++ b/ext/gd/tests/bug77973.phpt
@ -0,0 +1,26 @@
+--TEST--
+Bug #77973 (Uninitialized read in gdImageCreateFromXbm)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die("skip gd extension not available");
+if (!function_exists('imagecreatefromxbm')) die("skip imagecreatefromxbm not available");
+?>
+--FILE--
+<?php
+$contents = hex2bin("23646566696e6520776964746820320a23646566696e652068656967687420320a737461746963206368617220626974735b5d203d7b0a7a7a787a7a");
+$filepath = __DIR__ . '/bug77973.xbm';
+file_put_contents($filepath, $contents);
+$im = imagecreatefromxbm($filepath);
+var_dump($im);
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromxbm(): invalid XBM in %s on line %d
+
+Warning: imagecreatefromxbm(): '%s' is not a valid XBM file in %s on line %d
+bool(false)
+===DONE===
+--CLEAN--
+<?php
+unlink(__DIR__ . '/bug77973.xbm');
+?>
--- a/ext/iconv/iconv.c
+++ b/ext/iconv/iconv.c
@ -1648,7 +1648,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st
 							 * we can do at this point. */
 							if (*(p1 + 1) == '=') {
 								++p1;
-								--str_left;
+								if (str_left > 1) {
+									--str_left;
+								}
 							}

 							err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);
--- a/ext/iconv/tests/bug78069.data
+++ b/ext/iconv/tests/bug78069.data
--- a/ext/iconv/tests/bug78069.phpt
+++ b/ext/iconv/tests/bug78069.phpt
@ -0,0 +1,15 @@
+--TEST--
+Bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow)
+--SKIPIF--
+<?php
+if (!extension_loaded('iconv')) die('skip ext/iconv required');
+?>
+--FILE--
+<?php
+$hdr = iconv_mime_decode_headers(file_get_contents(__DIR__ . "/bug78069.data"),2);
+var_dump(count($hdr));
+?>
+DONE
+--EXPECT--
+int(1)
+DONE