Fix #73280: Stack Buffer Overflow in GD dynamicGetbuf

We make sure to never pass a negative `rlen` as size to memcpy(). Cf. <https://github.com/libgd/libgd/commit/53110871>.
2025-01-23 20:23:31 +08:00 · 2016-10-13 11:10:02 +02:00 · 2016-10-13 11:10:02 +02:00 · cc08cbc84d
commit cc08cbc84d
parent 43ccf23d70
2 changed files with 2 additions and 1 deletions
--- a/1
+++ b/1
@ -7,6 +7,7 @@ PHP                                                                        NEWS
  . Fixed bug #73272 (imagescale() is not affected by, but affects
    imagesetinterpolation()). (cmb)
  . Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()). (cmb)
+  . Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf). (cmb)

 - SOAP:
  . Fixed bug #73037 (SoapServer reports Bad Request when gzipped). (Anatol)
--- a/ext/gd/libgd/gd_io_dp.c
+++ b/ext/gd/libgd/gd_io_dp.c
@ -237,7 +237,7 @@ static int dynamicGetbuf (gdIOCtxPtr ctx, void *buf, int len)
 	if (remain >= len) {
 		rlen = len;
 	} else {
-		if (remain == 0) {
+		if (remain <= 0) {
 			return EOF;
 		}
 		rlen = remain;