diff options
author | Armin Kuster <akuster@mvista.com> | 2016-02-01 08:31:05 -0800 |
---|---|---|
committer | Martin Jansa <Martin.Jansa@gmail.com> | 2016-02-10 15:08:20 +0100 |
commit | dc5634968b270dde250690609f0015f881db81f2 (patch) | |
tree | 161cdd979a4a4cf019bc7313366c16666e74e634 | |
parent | 889258fd3af69424edbb623a1ee11b6b8b5fc553 (diff) | |
download | meta-openembedded-contrib-dc5634968b270dde250690609f0015f881db81f2.tar.gz |
php: Security fix CVE-2016-1903
CVE-2016-1903 php: Out-of-bounds memory read via gdImageRotateInterpolated
Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r-- | meta-oe/recipes-devtools/php/php-5.6.12/CVE-2016-1903.patch | 55 | ||||
-rw-r--r-- | meta-oe/recipes-devtools/php/php_5.6.12.bb | 1 |
2 files changed, 56 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2016-1903.patch b/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2016-1903.patch new file mode 100644 index 0000000000..a7c35fe439 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2016-1903.patch @@ -0,0 +1,55 @@ +From 4b8394dd78571826ac66a69dc240c623f31d78f8 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 7 Dec 2015 23:30:49 -0800 +Subject: [PATCH] Fix bug #70976: fix boundary check on + gdImageRotateInterpolated + +Upstream-Status: Backport + +https://git.php.net/?p=php-src.git;a=commit;h=4b8394dd78571826ac66a69dc240c623f31d78f8 + +CVE: CVE-2016-1903 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ext/gd/libgd/gd_interpolation.c | 2 +- + ext/gd/tests/bug70976.phpt | 13 +++++++++++++ + 2 files changed, 14 insertions(+), 1 deletion(-) + create mode 100644 ext/gd/tests/bug70976.phpt + +diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c +index f70169d..0f874ac 100644 +--- a/ext/gd/libgd/gd_interpolation.c ++++ b/ext/gd/libgd/gd_interpolation.c +@@ -2162,7 +2162,7 @@ gdImagePtr gdImageRotateInterpolated(const gdImagePtr src, const float angle, in + { + const int angle_rounded = (int)floor(angle * 100); + +- if (bgcolor < 0) { ++ if (bgcolor < 0 || bgcolor >= gdMaxColors) { + return NULL; + } + +diff --git a/ext/gd/tests/bug70976.phpt b/ext/gd/tests/bug70976.phpt +new file mode 100644 +index 0000000..23af4ee +--- /dev/null ++++ b/ext/gd/tests/bug70976.phpt +@@ -0,0 +1,13 @@ ++--TEST-- ++Bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds) ++--SKIPIF-- ++<?php ++ if(!extension_loaded('gd')){ die('skip gd extension not available'); } ++?> ++--FILE-- ++<?php ++$img = imagerotate(imagecreate(1,1),45,0x7ffffff9); ++var_dump($img); ++?> ++--EXPECTF-- ++bool(false) +\ No newline at end of file +-- +2.3.5 + diff --git a/meta-oe/recipes-devtools/php/php_5.6.12.bb b/meta-oe/recipes-devtools/php/php_5.6.12.bb index caa0867b01..bd9a5b601c 100644 --- a/meta-oe/recipes-devtools/php/php_5.6.12.bb +++ b/meta-oe/recipes-devtools/php/php_5.6.12.bb @@ -3,6 +3,7 @@ require php.inc SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \ file://CVE-2015-7803.patch \ file://CVE-2015-7804.patch \ + file://CVE-2016-1903.patch \ " SRC_URI[md5sum] = "4578dee9d979114610a444bee263ed9b" SRC_URI[sha256sum] = "6f27104272af7b2a996f85e4100fac627630fbdaf39d7bd263f16cf529c8853a" |