File php-CVE-2014-9709.patch of Package php5.openSUSE_Leap_42.1_Update
From: Remi Collet <remi@php.net>
Date: Sat, 13 Dec 2014 08:03:44 +0000 (+0100)
Subject: Fix bug #68601 buffer read overflow in gd_gif_in.c
X-Git-Tag: php-5.5.21RC1~38
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=07b5896a1389c3e865cbd2fb353806b2cefe4f5c
Fix bug #68601 buffer read overflow in gd_gif_in.c
---
Index: ext/gd/libgd/gd_gif_in.c
===================================================================
--- ext/gd/libgd/gd_gif_in.c.orig 2014-10-01 11:17:38.000000000 +0200
+++ ext/gd/libgd/gd_gif_in.c 2015-03-24 15:59:13.076070347 +0100
@@ -72,8 +72,10 @@
#define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
+#define CSD_BUF_SIZE 280
+
typedef struct {
- unsigned char buf[280];
+ unsigned char buf[CSD_BUF_SIZE];
int curbit, lastbit, done, last_byte;
} CODE_STATIC_DATA;
@@ -398,9 +400,14 @@
scd->lastbit = (2+count)*8 ;
}
- ret = 0;
- for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)
- ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j;
+ if ((scd->curbit + code_size - 1) >= (CSD_BUF_SIZE * 8)) {
+ ret = -1;
+ } else {
+ ret = 0;
+ for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
+ ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
+ }
+ }
scd->curbit += code_size;
return ret;