Overview

File php-CVE-2019-6978.patch of Package php7.11608

Index: php-7.0.7/ext/gd/libgd/gd_gif_out.c
===================================================================
--- php-7.0.7.orig/ext/gd/libgd/gd_gif_out.c	2019-01-31 11:43:29.055182701 +0100
+++ php-7.0.7/ext/gd/libgd/gd_gif_out.c	2019-01-31 11:47:50.032643403 +0100
@@ -97,12 +97,18 @@ static void cl_hash (register count_int
 static void char_init (GifCtx *ctx);
 static void char_out (int c, GifCtx *ctx);
 static void flush_char (GifCtx *ctx);
+
+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out);
+
 void * gdImageGifPtr (gdImagePtr im, int *size)
 {
   void *rv;
   gdIOCtx *out = gdNewDynamicCtx (2048, NULL);
-  gdImageGifCtx (im, out);
-  rv = gdDPExtractData (out, size);
+  if (!_gdImageGifCtx(im, out)) {
+          rv = gdDPExtractData(out, size);
+  } else {
+          rv = NULL;
+  }
   out->gd_free (out);
   return rv;
 }
@@ -116,6 +122,12 @@ void gdImageGif (gdImagePtr im, FILE * o
 
 void gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
 {
+        _gdImageGifCtx(im, out);
+}
+
+/* returns 0 on success, 1 on failure */
+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+{
 	gdImagePtr pim = 0, tim = im;
 	int interlace, BitsPerPixel;
 	interlace = im->interlace;
@@ -125,7 +137,7 @@ void gdImageGifCtx(gdImagePtr im, gdIOCt
 			based temporary image. */
 		pim = gdImageCreatePaletteFromTrueColor(im, 1, 256);
 		if (!pim) {
-			return;
+			return 1;
 		}
 		tim = pim;
 	}
@@ -138,6 +150,7 @@ void gdImageGifCtx(gdImagePtr im, gdIOCt
 		/* Destroy palette based temporary image. */
 		gdImageDestroy(	pim);
 	}
+        return 0;
 }
 
 static int
Index: php-7.0.7/ext/gd/libgd/gd_jpeg.c
===================================================================
--- php-7.0.7.orig/ext/gd/libgd/gd_jpeg.c	2016-05-25 15:13:44.000000000 +0200
+++ php-7.0.7/ext/gd/libgd/gd_jpeg.c	2019-01-31 11:50:14.253452069 +0100
@@ -132,6 +132,8 @@ const char * gdJpegGetVersionString()
 }
 
 
+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
+
 /*
  * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
  * QUALITY.  If QUALITY is in the range 0-100, increasing values
@@ -152,8 +154,11 @@ void *gdImageJpegPtr (gdImagePtr im, int
 {
 	void *rv;
 	gdIOCtx *out = gdNewDynamicCtx (2048, NULL);
-	gdImageJpegCtx (im, out, quality);
-	rv = gdDPExtractData (out, size);
+        if (!_gdImageJpegCtx(im, out, quality)) {
+                rv = gdDPExtractData(out, size);
+        } else {
+                rv = NULL;
+        }
 	out->gd_free (out);
 
 	return rv;
@@ -163,6 +168,12 @@ void jpeg_gdIOCtx_dest (j_compress_ptr c
 
 void gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
 {
+       _gdImageJpegCtx(im, outfile, quality);
+}
+
+/* returns 0 on success, 1 on failure */
+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+{
 	struct jpeg_compress_struct cinfo;
 	struct jpeg_error_mgr jerr;
 	int i, j, jidx;
@@ -183,7 +194,7 @@ void gdImageJpegCtx (gdImagePtr im, gdIO
 		if (row) {
 			gdFree (row);
 		}
-		return;
+		return 1;
 	}
 
 	cinfo.err->error_exit = fatal_jpeg_error;
@@ -271,6 +282,7 @@ void gdImageJpegCtx (gdImagePtr im, gdIO
 	jpeg_finish_compress (&cinfo);
 	jpeg_destroy_compress (&cinfo);
 	gdFree (row);
+        return 0;
 }
 
 gdImagePtr gdImageCreateFromJpeg (FILE * inFile)
Index: php-7.0.7/ext/gd/libgd/gd_wbmp.c
===================================================================
--- php-7.0.7.orig/ext/gd/libgd/gd_wbmp.c	2016-05-25 15:13:44.000000000 +0200
+++ php-7.0.7/ext/gd/libgd/gd_wbmp.c	2019-01-31 11:56:11.939457702 +0100
@@ -81,6 +81,7 @@ int gd_getin (void *in)
 	return (gdGetC((gdIOCtx *) in));
 }
 
+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
 
 /*      gdImageWBMPCtx
    **  --------------
@@ -93,6 +94,12 @@ int gd_getin (void *in)
  */
 void gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out)
 {
+       _gdImageWBMPCtx(image, fg, out);
+}
+
+/* returns 0 on success, 1 on failure */
+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
+{	
 	int x, y, pos;
 	Wbmp *wbmp;
 
@@ -114,10 +121,13 @@ void gdImageWBMPCtx (gdImagePtr image, i
 
 	/* write the WBMP to a gd file descriptor */
 	if (writewbmp (wbmp, &gd_putout, out)) {
+                freewbmp(wbmp);
 		php_gd_error("Could not save WBMP");
+                return 1;
 	}
 	/* des submitted this bugfix: gdFree the memory. */
 	freewbmp(wbmp);
+        return 0;
 }
 
 /* gdImageCreateFromWBMPCtx
@@ -202,8 +212,11 @@ void * gdImageWBMPPtr (gdImagePtr im, in
 {
 	void *rv;
 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
-	gdImageWBMPCtx(im, fg, out);
-	rv = gdDPExtractData(out, size);
+        if (!_gdImageWBMPCtx(im, fg, out)) {
+                rv = gdDPExtractData(out, size);
+        } else {
+                rv = NULL;
+        }
 	out->gd_free(out);
 
 	return rv;
openSUSE Build Service is sponsored by
Places