diff options
Diffstat (limited to 'meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch')
-rw-r--r-- | meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch new file mode 100644 index 0000000000..596244d6ba --- /dev/null +++ b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch @@ -0,0 +1,56 @@ +From b04cd19b76374ebce8f3326275bdfd7e9b9aeab5 Mon Sep 17 00:00:00 2001 +From: Li Zhou <li.zhou@windriver.com> +Date: Sun, 11 Feb 2018 15:03:21 +0800 +Subject: [PATCH] Fixed bug #75571: Potential infinite loop in + gdImageCreateFromGifCtx + +Due to a signedness confusion in `GetCode_` a corrupt GIF file can +trigger an infinite loop. Furthermore we make sure that a GIF without +any palette entries is treated as invalid *after* open palette entries +have been removed. + +Upstream-Status: Backport +CVE: CVE-2018-5711 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + ext/gd/libgd/gd_gif_in.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c +index 76ba152..7156e4b 100644 +--- a/ext/gd/libgd/gd_gif_in.c ++++ b/ext/gd/libgd/gd_gif_in.c +@@ -261,10 +261,6 @@ terminated: + if (!im) { + return 0; + } +- if (!im->colorsTotal) { +- gdImageDestroy(im); +- return 0; +- } + /* Check for open colors at the end, so + we can reduce colorsTotal and ultimately + BitsPerPixel */ +@@ -275,6 +271,10 @@ terminated: + break; + } + } ++ if (!im->colorsTotal) { ++ gdImageDestroy(im); ++ return 0; ++ } + return im; + } + /* }}} */ +@@ -375,7 +375,7 @@ static int + GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) + { + int i, j, ret; +- unsigned char count; ++ int count; + + if (flag) { + scd->curbit = 0; +-- +1.9.1 + |