1 files changed, 56 insertions, 0 deletions

diff --git a/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch
new file mode 100644
index 0000000000..596244d6ba
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch
@@ -0,0 +1,56 @@
+From b04cd19b76374ebce8f3326275bdfd7e9b9aeab5 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Sun, 11 Feb 2018 15:03:21 +0800
+Subject: [PATCH] Fixed bug #75571: Potential infinite loop in
+ gdImageCreateFromGifCtx
+
+Due to a signedness confusion in `GetCode_` a corrupt GIF file can
+trigger an infinite loop.  Furthermore we make sure that a GIF without
+any palette entries is treated as invalid *after* open palette entries
+have been removed.
+
+Upstream-Status: Backport
+CVE: CVE-2018-5711
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ ext/gd/libgd/gd_gif_in.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
+index 76ba152..7156e4b 100644
+--- a/ext/gd/libgd/gd_gif_in.c
++++ b/ext/gd/libgd/gd_gif_in.c
+@@ -261,10 +261,6 @@ terminated:
+ 	if (!im) {
+ 		return 0;
+ 	}
+-	if (!im->colorsTotal) {
+-		gdImageDestroy(im);
+-		return 0;
+-	}
+ 	/* Check for open colors at the end, so
+ 	   we can reduce colorsTotal and ultimately
+ 	   BitsPerPixel */
+@@ -275,6 +271,10 @@ terminated:
+ 			break;
+ 		}
+ 	}
++	if (!im->colorsTotal) {
++		gdImageDestroy(im);
++		return 0;
++	}
+ 	return im;
+ }
+ /* }}} */
+@@ -375,7 +375,7 @@ static int
+ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
+ {
+ 	int           i, j, ret;
+-	unsigned char count;
++	int           count;
+ 
+ 	if (flag) {
+ 		scd->curbit = 0;
+-- 
+1.9.1
+