mirror of
git://git.openembedded.org/meta-openembedded
synced 2026-05-18 21:46:20 +00:00
83e474f369
Porting the patch from <http://git.php.net/?p=php-src.git;a=commit; h=8d6e9588671136837533fe3785657c31c5b52767> to solve CVE-2018-5711. Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
57 lines
1.4 KiB
Diff
57 lines
1.4 KiB
Diff
From b04cd19b76374ebce8f3326275bdfd7e9b9aeab5 Mon Sep 17 00:00:00 2001
|
|
From: Li Zhou <li.zhou@windriver.com>
|
|
Date: Sun, 11 Feb 2018 15:03:21 +0800
|
|
Subject: [PATCH] Fixed bug #75571: Potential infinite loop in
|
|
gdImageCreateFromGifCtx
|
|
|
|
Due to a signedness confusion in `GetCode_` a corrupt GIF file can
|
|
trigger an infinite loop. Furthermore we make sure that a GIF without
|
|
any palette entries is treated as invalid *after* open palette entries
|
|
have been removed.
|
|
|
|
Upstream-Status: Backport
|
|
CVE: CVE-2018-5711
|
|
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
|
---
|
|
ext/gd/libgd/gd_gif_in.c | 10 +++++-----
|
|
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
|
|
index 76ba152..7156e4b 100644
|
|
--- a/ext/gd/libgd/gd_gif_in.c
|
|
+++ b/ext/gd/libgd/gd_gif_in.c
|
|
@@ -261,10 +261,6 @@ terminated:
|
|
if (!im) {
|
|
return 0;
|
|
}
|
|
- if (!im->colorsTotal) {
|
|
- gdImageDestroy(im);
|
|
- return 0;
|
|
- }
|
|
/* Check for open colors at the end, so
|
|
we can reduce colorsTotal and ultimately
|
|
BitsPerPixel */
|
|
@@ -275,6 +271,10 @@ terminated:
|
|
break;
|
|
}
|
|
}
|
|
+ if (!im->colorsTotal) {
|
|
+ gdImageDestroy(im);
|
|
+ return 0;
|
|
+ }
|
|
return im;
|
|
}
|
|
/* }}} */
|
|
@@ -375,7 +375,7 @@ static int
|
|
GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
|
|
{
|
|
int i, j, ret;
|
|
- unsigned char count;
|
|
+ int count;
|
|
|
|
if (flag) {
|
|
scd->curbit = 0;
|
|
--
|
|
1.9.1
|
|
|