From 69dca143c9eb11a022919e65c5b449fe2ff24530 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pajoye@php.net>
Date: Wed, 16 May 2007 22:16:22 +0000
Subject: [PATCH] - libgd #86: Fixed possible infinite loop in libgd/gd_png.c  
 (Reported by Xavier Roche)

---
 ext/gd/libgd/gd_png.c        |   6 +++++-
 ext/gd/tests/libgd00086.phpt |  21 +++++++++++++++++++++
 ext/gd/tests/libgd00086.png  | Bin 0 -> 93 bytes
 3 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 ext/gd/tests/libgd00086.phpt
 create mode 100644 ext/gd/tests/libgd00086.png

diff --git a/ext/gd/libgd/gd_png.c b/ext/gd/libgd/gd_png.c
index 0f6436f1204..a002a952128 100644
--- a/ext/gd/libgd/gd_png.c
+++ b/ext/gd/libgd/gd_png.c
@@ -71,7 +71,11 @@ static void gdPngErrorHandler (png_structp png_ptr, png_const_charp msg)
 
 static void gdPngReadData (png_structp png_ptr, png_bytep data, png_size_t length)
 {
-	gdGetBuf(data, length, (gdIOCtx *) png_get_io_ptr(png_ptr));
+	int check;
+	check = gdGetBuf(data, length, (gdIOCtx *) png_get_io_ptr(png_ptr));
+	if (check != length) {
+		png_error(png_ptr, "Read Error: truncated data");
+	}
 }
 
 static void gdPngWriteData (png_structp png_ptr, png_bytep data, png_size_t length)
diff --git a/ext/gd/tests/libgd00086.phpt b/ext/gd/tests/libgd00086.phpt
new file mode 100644
index 00000000000..68f589a5bd4
--- /dev/null
+++ b/ext/gd/tests/libgd00086.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #39780 (PNG image with CRC/data error raises a fatal error)
+--SKIPIF--
+<?php 
+	if (!extension_loaded('gd')) die("skip gd extension not available\n"); 
+	if (!GD_BUNDLED) die('skip external GD libraries always fail');
+?>
+--FILE--
+<?php
+
+$im = imagecreatefrompng(dirname(__FILE__) . '/libgd00086.png');
+var_dump($im);
+?>
+--EXPECTF--
+
+Warning: imagecreatefrompng(): gd-png:  fatal libpng error: Read Error: truncated data in %s on line %d
+
+Warning: imagecreatefrompng(): gd-png error: setjmp returns error condition in %s on line %d
+
+Warning: imagecreatefrompng(): '%s' is not a valid PNG file in %s on line %d
+bool(false)
diff --git a/ext/gd/tests/libgd00086.png b/ext/gd/tests/libgd00086.png
new file mode 100644
index 0000000000000000000000000000000000000000..0e7c8dda0adc58ecb74247b120b5ee52a153f5b2
GIT binary patch
literal 93
zcmeAS@N?(olHy`uVBq!ia0vp^6+qm~!3HGV4DWLQDYhhUcNd2LAh=-f^2tCE&H|6f
fVg`m7HxOnNnd0mS5-cllOb60n{S1$If9e7NfhrWd

literal 0
HcmV?d00001