diff options
author | Li Zhou <li.zhou@windriver.com> | 2018-02-26 15:50:30 +0800 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2018-03-16 19:12:26 -0700 |
commit | 83e474f369a31eda778f2ffa5257b49e12844d2d (patch) | |
tree | 0b700fe846c392b4af353f92d6c75ee6afc919a8 /meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch | |
parent | 939c85fd90bca5ab5e6dc48e6ea79d7d194e54c0 (diff) | |
download | meta-openembedded-83e474f369a31eda778f2ffa5257b49e12844d2d.tar.gz |
php: Security Advisory - php - CVE-2018-5711
Porting the patch from <http://git.php.net/?p=php-src.git;a=commit;
h=8d6e9588671136837533fe3785657c31c5b52767> to solve CVE-2018-5711.
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch')
-rw-r--r-- | meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch new file mode 100644 index 000000000..596244d6b --- /dev/null +++ b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | From b04cd19b76374ebce8f3326275bdfd7e9b9aeab5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Li Zhou <li.zhou@windriver.com> | ||
3 | Date: Sun, 11 Feb 2018 15:03:21 +0800 | ||
4 | Subject: [PATCH] Fixed bug #75571: Potential infinite loop in | ||
5 | gdImageCreateFromGifCtx | ||
6 | |||
7 | Due to a signedness confusion in `GetCode_` a corrupt GIF file can | ||
8 | trigger an infinite loop. Furthermore we make sure that a GIF without | ||
9 | any palette entries is treated as invalid *after* open palette entries | ||
10 | have been removed. | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | CVE: CVE-2018-5711 | ||
14 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
15 | --- | ||
16 | ext/gd/libgd/gd_gif_in.c | 10 +++++----- | ||
17 | 1 file changed, 5 insertions(+), 5 deletions(-) | ||
18 | |||
19 | diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c | ||
20 | index 76ba152..7156e4b 100644 | ||
21 | --- a/ext/gd/libgd/gd_gif_in.c | ||
22 | +++ b/ext/gd/libgd/gd_gif_in.c | ||
23 | @@ -261,10 +261,6 @@ terminated: | ||
24 | if (!im) { | ||
25 | return 0; | ||
26 | } | ||
27 | - if (!im->colorsTotal) { | ||
28 | - gdImageDestroy(im); | ||
29 | - return 0; | ||
30 | - } | ||
31 | /* Check for open colors at the end, so | ||
32 | we can reduce colorsTotal and ultimately | ||
33 | BitsPerPixel */ | ||
34 | @@ -275,6 +271,10 @@ terminated: | ||
35 | break; | ||
36 | } | ||
37 | } | ||
38 | + if (!im->colorsTotal) { | ||
39 | + gdImageDestroy(im); | ||
40 | + return 0; | ||
41 | + } | ||
42 | return im; | ||
43 | } | ||
44 | /* }}} */ | ||
45 | @@ -375,7 +375,7 @@ static int | ||
46 | GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) | ||
47 | { | ||
48 | int i, j, ret; | ||
49 | - unsigned char count; | ||
50 | + int count; | ||
51 | |||
52 | if (flag) { | ||
53 | scd->curbit = 0; | ||
54 | -- | ||
55 | 1.9.1 | ||
56 | |||