blob: f2e23b3f09d1168f1ecef8faaf23414e9ba95bef (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
modphp: Security Advisory - php - CVE-2014-5120
Upstream-Status: Backport
Signed-off-by Yue Tao <yue.tao@windriver.com>
From 706aefb78112a44d4932d4c9430c6a898696f51f Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 18 Aug 2014 22:49:10 -0700
Subject: [PATCH] Fix bug #67730 - Null byte injection possible with imagexxx
functions
---
ext/gd/gd_ctx.c | 5 +++++
2 files changed, 7 insertions(+)
diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
index bff691f..eafbab5 100644
--- a/ext/gd/gd_ctx.c
+++ b/ext/gd/gd_ctx.c
@@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
RETURN_FALSE;
}
} else if (Z_TYPE_P(to_zval) == IS_STRING) {
+ if (CHECK_ZVAL_NULL_PATH(to_zval)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
+ RETURN_FALSE;
+ }
+
stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL);
if (stream == NULL) {
RETURN_FALSE;
--
1.7.9.5
|