Fix #77973: Uninitialized read in gdImageCreateFromXbm

We have to ensure that `sscanf()` does indeed read a hex value here,
and bail out otherwise.

(cherry picked from commit ed6dee9)

Author: cmb69

NEWS

@@ -16,6 +16,8 @@ PHP                                                                        NEWS
 
 - GD:
   . Fixed bug #77943 (imageantialias($image, false); does not work). (cmb)
+  . Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm).
+    (CVE-2019-11038) (cmb)
 
 - JSON:
   . Fixed bug #77843 (Use after free with json serializer). (Nikita)

ext/gd/libgd/gd_xbm.c

@@ -136,7 +136,11 @@ gdImagePtr gdImageCreateFromXbm(FILE * fd)
 			}
 			h[3] = ch;
 		}
-		sscanf(h, "%x", &b);
+		if (sscanf(h, "%x", &b) != 1) {
+			gd_error("invalid XBM");
+			gdImageDestroy(im);
+			return 0;
+		}
 		for (bit = 1; bit <= max_bit; bit = bit << 1) {
 			gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);
 			if (x == im->sx) {

ext/gd/tests/bug77973.phpt

@@ -0,0 +1,26 @@
+--TEST--
+Bug #77973 (Uninitialized read in gdImageCreateFromXbm)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die("skip gd extension not available");
+if (!function_exists('imagecreatefromxbm')) die("skip imagecreatefromxbm not available");
+?>
+--FILE--
+<?php
+$contents = hex2bin("23646566696e6520776964746820320a23646566696e652068656967687420320a737461746963206368617220626974735b5d203d7b0a7a7a787a7a");
+$filepath = __DIR__ . '/bug77973.xbm';
+file_put_contents($filepath, $contents);
+$im = imagecreatefromxbm($filepath);
+var_dump($im);
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromxbm(): invalid XBM in %s on line %d
+
+Warning: imagecreatefromxbm(): '%s' is not a valid XBM file in %s on line %d
+bool(false)
+===DONE===
+--CLEAN--
+<?php
+unlink(__DIR__ . '/bug77973.xbm');
+?>