diff options
| author |   Thiruvadi Rajaraman <trajaraman@mvista.com> | 2017-07-07 19:11:10 +0530 |
|---|---|---|
| committer |   Armin Kuster <akuster808@gmail.com> | 2017-11-16 15:29:25 -0800 |
| commit | 4c57e20705c4b2afa1ae5ef6a1db3c18ddb6ce6c (patch) | |
| tree | 411d136e67d4c3c45948d56ae9aa614651432279 | |
| parent | e76c1874456c8f131a8104d1359befd24a19036a (diff) | |
| download | meta-openembedded-contrib-4c57e20705c4b2afa1ae5ef6a1db3c18ddb6ce6c.tar.gz | |
php: CVE-2016-9933
Source: php-src.git
MR: 70039
Type: Security Fix
Disposition: Backport from php-7.2.0
ChangeID: 7af5552e8c05decf9ea6de19c81ee4bf0037f56f
Description:
imagefilltoborder stackoverflow on truecolor images
We must not allow negative color values be passed to
gdImageFillToBorder(), because that can lead to infinite recursion
since the recursion termination condition will not necessarily be met.
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9933.patch | 42 | ||||
| -rw-r--r-- | meta-oe/recipes-devtools/php/php_5.6.26.bb | 1 |
2 files changed, 43 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9933.patch b/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9933.patch new file mode 100644 index 0000000000..0d5a9d2336 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9933.patch @@ -0,0 +1,42 @@ +Fix #72696: imagefilltoborder stackoverflow on truecolor images + +We must not allow negative color values be passed to +gdImageFillToBorder(), because that can lead to infinite recursion +since the recursion termination condition will not necessarily be met. + +Upstream-status: Backport + +CVE: CVE-2016-9933 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> +Index: php-5.6.26/ext/gd/libgd/gd.c +=================================================================== +--- php-5.6.26.orig/ext/gd/libgd/gd.c 2016-09-16 02:32:50.000000000 +0530 ++++ php-5.6.26/ext/gd/libgd/gd.c 2017-07-07 18:18:38.079721713 +0530 +@@ -1780,7 +1780,7 @@ + int leftLimit = -1, rightLimit; + int i, restoreAlphaBlending = 0; + +- if (border < 0) { ++ if (border < 0 || color < 0) { + /* Refuse to fill to a non-solid border */ + return; + } +Index: php-5.6.26/ext/gd/tests/bug72696.phpt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ php-5.6.26/ext/gd/tests/bug72696.phpt 2017-07-07 18:19:16.939987470 +0530 +@@ -0,0 +1,14 @@ ++--TEST-- ++Bug #72696 (imagefilltoborder stackoverflow on truecolor images) ++--SKIPIF-- ++<?php ++if (!extension_loaded('gd')) die('skip gd extension not available'); ++?> ++--FILE-- ++<?php ++$im = imagecreatetruecolor(10, 10); ++imagefilltoborder($im, 0, 0, 1, -2); ++?> ++===DONE=== ++--EXPECT-- ++===DONE=== diff --git a/meta-oe/recipes-devtools/php/php_5.6.26.bb b/meta-oe/recipes-devtools/php/php_5.6.26.bb index 741c825b94..a10d2a6bc1 100644 --- a/meta-oe/recipes-devtools/php/php_5.6.26.bb +++ b/meta-oe/recipes-devtools/php/php_5.6.26.bb @@ -6,6 +6,7 @@ SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \ file://CVE-2016-9137.patch \ file://CVE-2016-9934.patch \ file://CVE-2016-9935.patch \ + file://CVE-2016-9933.patch \ " SRC_URI[md5sum] = "cb424b705cfb715fc04f499f8a8cf52e" SRC_URI[sha256sum] = "d47aab8083a4284b905777e1b45dd7735adc53be827b29f896684750ac8b6236" |