]>
Commit | Line | Data |
---|---|---|
9fd17760 ER |
1 | From cf4753691dc55999373d1c576f62ecb298723420 Mon Sep 17 00:00:00 2001 |
2 | From: Remi Collet <remi@php.net> | |
3 | Date: Mon, 4 Aug 2014 10:42:39 +0200 | |
4 | Subject: [PATCH] Fixed Bug #66901 php-gd 'c_color' NULL pointer dereference | |
5 | ||
6 | Upstream https://bitbucket.org/libgd/gd-libgd/commits/463c3bd09bfe8e924e19acad7a2a6af16953a704 | |
7 | ||
8 | Notice: this fix don't manage monochrome/monovisual values | |
9 | but just fix the security issue CVE-2014-2497 | |
10 | failing when trying to load such an image | |
11 | --- | |
12 | ext/gd/libgd/gdxpm.c | 7 ++++++- | |
13 | 1 file changed, 6 insertions(+), 1 deletion(-) | |
14 | ||
15 | diff --git a/ext/gd/libgd/gdxpm.c b/ext/gd/libgd/gdxpm.c | |
16 | index 73f86e5..b69414e 100644 | |
17 | --- a/ext/gd/libgd/gdxpm.c | |
18 | +++ b/ext/gd/libgd/gdxpm.c | |
19 | @@ -31,12 +31,17 @@ gdImagePtr gdImageCreateFromXpm (char *filename) | |
20 | if (ret != XpmSuccess) { | |
21 | return 0; | |
22 | } | |
23 | + number = image.ncolors; | |
24 | + for(i = 0; i < number; i++) { | |
25 | + if (!image.colorTable[i].c_color) { | |
26 | + goto done; | |
27 | + } | |
28 | + } | |
29 | ||
30 | if (!(im = gdImageCreate(image.width, image.height))) { | |
31 | goto done; | |
32 | } | |
33 | ||
34 | - number = image.ncolors; | |
35 | colors = (int *) safe_emalloc(number, sizeof(int), 0); | |
36 | for (i = 0; i < number; i++) { | |
37 | switch (strlen (image.colorTable[i].c_color)) { | |
38 | -- | |
39 | 1.9.2 | |
40 |