Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
php5.3822
php-CVE-2014-9709.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File php-CVE-2014-9709.patch of Package php5.3822
From: Remi Collet <remi@php.net> Date: Sat, 13 Dec 2014 08:03:44 +0000 (+0100) Subject: Fix bug #68601 buffer read overflow in gd_gif_in.c X-Git-Tag: php-5.5.21RC1~38 X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=07b5896a1389c3e865cbd2fb353806b2cefe4f5c Fix bug #68601 buffer read overflow in gd_gif_in.c --- Index: ext/gd/libgd/gd_gif_in.c =================================================================== --- ext/gd/libgd/gd_gif_in.c.orig 2014-10-01 11:17:38.000000000 +0200 +++ ext/gd/libgd/gd_gif_in.c 2015-03-24 15:59:13.076070347 +0100 @@ -72,8 +72,10 @@ #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2) +#define CSD_BUF_SIZE 280 + typedef struct { - unsigned char buf[280]; + unsigned char buf[CSD_BUF_SIZE]; int curbit, lastbit, done, last_byte; } CODE_STATIC_DATA; @@ -398,9 +400,14 @@ scd->lastbit = (2+count)*8 ; } - ret = 0; - for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) - ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j; + if ((scd->curbit + code_size - 1) >= (CSD_BUF_SIZE * 8)) { + ret = -1; + } else { + ret = 0; + for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) { + ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; + } + } scd->curbit += code_size; return ret;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor