Fixed bug #75571: Potential infinite loop in gdImageCreateFromGifCtx

Due to a signedness confusion in `GetCode_` a corrupt GIF file can trigger an infinite loop. Furthermore we make sure that a GIF without any palette entries is treated as invalid *after* open palette entries have been removed. (cherry picked from commit 8d6e958)
php · Jan 2, 2018 · 3b50e23 · 3b50e23
1 parent 8c26020
commit 3b50e23
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 5 deletions.
diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
@@ -262,10 +262,6 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */
 	if (!im) {
 		return 0;
 	}
-	if (!im->colorsTotal) {
-		gdImageDestroy(im);
-		return 0;
-	}
 	/* Check for open colors at the end, so
 	   we can reduce colorsTotal and ultimately
 	   BitsPerPixel */
@@ -276,6 +272,10 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */
 			break;
 		}
 	}
+	if (!im->colorsTotal) {
+		gdImageDestroy(im);
+		return 0;
+	}
 	return im;
 }
 /* }}} */
@@ -376,7 +376,7 @@ static int
 GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
 {
 	int           i, j, ret;
-	unsigned char count;
+	int           count;
 
 	if (flag) {
 		scd->curbit = 0;

diff --git a/ext/gd/tests/bug75571.gif b/ext/gd/tests/bug75571.gif
diff --git a/ext/gd/tests/bug75571.phpt b/ext/gd/tests/bug75571.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #75571 (Infinite loop in GIF reading causing DoS)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+var_dump(imagecreatefromgif(__DIR__ . '/bug75571.gif'));
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromgif(): '%s' is not a valid GIF file in %s on line %d
+bool(false)
+===DONE===