- libgd #86: Fixed possible infinite loop in libgd/gd_png.c

(Reported by Xavier Roche)
2025-01-11 05:24:49 +08:00 · 2007-05-16 22:16:22 +00:00 · 2007-05-16 22:16:22 +00:00 · 69dca143c9
commit 69dca143c9
parent b83260a150
3 changed files with 26 additions and 1 deletions
--- a/ext/gd/libgd/gd_png.c
+++ b/ext/gd/libgd/gd_png.c
@ -71,7 +71,11 @@ static void gdPngErrorHandler (png_structp png_ptr, png_const_charp msg)

 static void gdPngReadData (png_structp png_ptr, png_bytep data, png_size_t length)
 {
-	gdGetBuf(data, length, (gdIOCtx *) png_get_io_ptr(png_ptr));
+	int check;
+	check = gdGetBuf(data, length, (gdIOCtx *) png_get_io_ptr(png_ptr));
+	if (check != length) {
+		png_error(png_ptr, "Read Error: truncated data");
+	}
 }

 static void gdPngWriteData (png_structp png_ptr, png_bytep data, png_size_t length)
--- a/ext/gd/tests/libgd00086.phpt
+++ b/ext/gd/tests/libgd00086.phpt
@ -0,0 +1,21 @@
+--TEST--
+Bug #39780 (PNG image with CRC/data error raises a fatal error)
+--SKIPIF--
+<?php 
+	if (!extension_loaded('gd')) die("skip gd extension not available\n"); 
+	if (!GD_BUNDLED) die('skip external GD libraries always fail');
+?>
+--FILE--
+<?php
+
+$im = imagecreatefrompng(dirname(__FILE__) . '/libgd00086.png');
+var_dump($im);
+?>
+--EXPECTF--
+
+Warning: imagecreatefrompng(): gd-png:  fatal libpng error: Read Error: truncated data in %s on line %d
+
+Warning: imagecreatefrompng(): gd-png error: setjmp returns error condition in %s on line %d
+
+Warning: imagecreatefrompng(): '%s' is not a valid PNG file in %s on line %d
+bool(false)
--- a/ext/gd/tests/libgd00086.png
+++ b/ext/gd/tests/libgd00086.png