Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- MFH: CVE-2007-1001, integer overflow with invalid wbmp images
- Loading branch information
1 parent
0edbc8d
commit 3332377
Showing
7 changed files
with
109 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
/* | ||
* gd_security.c | ||
* | ||
* Implements buffer overflow check routines. | ||
* | ||
* Written 2004, Phil Knirsch. | ||
* Based on netpbm fixes by Alan Cox. | ||
* | ||
*/ | ||
|
||
#ifdef HAVE_CONFIG_H | ||
#include "config.h" | ||
#endif | ||
|
||
#include <stdio.h> | ||
#include <stdlib.h> | ||
#include <limits.h> | ||
#include "gd.h" | ||
|
||
int overflow2(int a, int b) | ||
{ | ||
if(a < 0 || b < 0) { | ||
php_gd_error("gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n"); | ||
return 1; | ||
} | ||
if(b == 0) | ||
return 0; | ||
if(a > INT_MAX / b) { | ||
php_gd_error("gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n"); | ||
return 1; | ||
} | ||
return 0; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
--TEST-- | ||
imagecreatefromwbmp with invalid wbmp | ||
--SKIPIF-- | ||
<?php | ||
if (!function_exists('imagecreatefromwbmp')) die("skip gd extension not available\n"); | ||
?> | ||
--FILE-- | ||
<?php | ||
$filename = dirname(__FILE__) . '/_tmp.wbmp'; | ||
$fp = fopen($filename,"wb"); | ||
if (!$fp) { | ||
exit("Failed to create <$filename>"); | ||
} | ||
|
||
//write header | ||
$c = 0; | ||
fputs($fp, chr($c), 1); | ||
fputs($fp, $c, 1); | ||
|
||
//write width = 2^32 / 4 + 1 | ||
$c = 0x84; | ||
fputs($fp, chr($c), 1); | ||
$c = 0x80; | ||
fputs($fp, chr($c), 1); | ||
fputs($fp, chr($c), 1); | ||
fputs($fp, chr($c), 1); | ||
$c = 0x01; | ||
fputs($fp, chr($c), 1); | ||
|
||
/*write height = 4*/ | ||
$c = 0x04; | ||
fputs($fp, chr($c), 1); | ||
|
||
/*write some data to cause overflow*/ | ||
for ($i=0; $i<10000; $i++) { | ||
fwrite($fp, chr($c), 1); | ||
} | ||
|
||
fclose($fp); | ||
$im = imagecreatefromwbmp($filename); | ||
unlink($filename); | ||
?> | ||
--EXPECTF-- | ||
Warning: imagecreatefromwbmp() [/phpmanual/function.imagecreatefromwbmp.html]: gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully | ||
in %s on line %d | ||
|
||
Warning: imagecreatefromwbmp() [/phpmanual/function.imagecreatefromwbmp.html]: '%s' is not a valid WBMP file in %s on line %d |