php: Security Advisory - php - CVE-2018-5711

Porting the patch from <http://git.php.net/?p=php-src.git;a=commit; h=8d6e9588671136837533fe3785657c31c5b52767> to solve CVE-2018-5711. Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Li Zhou <li.zhou@windriver.com> 2018-02-26 15:50:30 +0800
committer: Armin Kuster <akuster808@gmail.com> 2018-03-16 19:12:26 -0700
commit: 83e474f369a31eda778f2ffa5257b49e12844d2d (patch)
tree: 0b700fe846c392b4af353f92d6c75ee6afc919a8 /meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch
parent: 939c85fd90bca5ab5e6dc48e6ea79d7d194e54c0 (diff)
download: meta-openembedded-83e474f369a31eda778f2ffa5257b49e12844d2d.tar.gz
1 files changed, 56 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch
new file mode 100644
index 000000000..596244d6b
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch
@@ -0,0 +1,56 @@
+From b04cd19b76374ebce8f3326275bdfd7e9b9aeab5 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Sun, 11 Feb 2018 15:03:21 +0800
+Subject: [PATCH] Fixed bug #75571: Potential infinite loop in
+ gdImageCreateFromGifCtx
+Due to a signedness confusion in `GetCode_` a corrupt GIF file can
+trigger an infinite loop.  Furthermore we make sure that a GIF without
+any palette entries is treated as invalid *after* open palette entries
+have been removed.
+Upstream-Status: Backport
+CVE: CVE-2018-5711
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ ext/gd/libgd/gd_gif_in.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
+index 76ba152..7156e4b 100644
+--- a/ext/gd/libgd/gd_gif_in.c
+++ b/ext/gd/libgd/gd_gif_in.c
+@@ -261,10 +261,6 @@ terminated:
+        if (!im) {
+                return 0;
+        }
+-       if (!im->colorsTotal) {
+-               gdImageDestroy(im);
+-               return 0;
+-       }
+        /* Check for open colors at the end, so
+           we can reduce colorsTotal and ultimately
+           BitsPerPixel */
+@@ -275,6 +271,10 @@ terminated:
+                        break;
+                }
+        }
+       if (!im->colorsTotal) {
+               gdImageDestroy(im);
+               return 0;
+       }
+        return im;
+ }
+ /* }}} */
+@@ -375,7 +375,7 @@ static int
+ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
+ {
+        int           i, j, ret;
+-       unsigned char count;
+       int           count;
+ 
+        if (flag) {
+                scd->curbit = 0;
+-- 
+1.9.1
author	Li Zhou <li.zhou@windriver.com>	2018-02-26 15:50:30 +0800
committer	Armin Kuster <akuster808@gmail.com>	2018-03-16 19:12:26 -0700
commit	83e474f369a31eda778f2ffa5257b49e12844d2d (patch)
tree	0b700fe846c392b4af353f92d6c75ee6afc919a8 /meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch
parent	939c85fd90bca5ab5e6dc48e6ea79d7d194e54c0 (diff)
download	meta-openembedded-83e474f369a31eda778f2ffa5257b49e12844d2d.tar.gz

diff --git a/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch new file mode 100644 index 000000000..596244d6b --- /dev/null +++ b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch
@@ -0,0 +1,56 @@
	1	From b04cd19b76374ebce8f3326275bdfd7e9b9aeab5 Mon Sep 17 00:00:00 2001
	2	From: Li Zhou <li.zhou@windriver.com>
	3	Date: Sun, 11 Feb 2018 15:03:21 +0800
	4	Subject: [PATCH] Fixed bug #75571: Potential infinite loop in
	5	gdImageCreateFromGifCtx
	6
	7	Due to a signedness confusion in `GetCode_` a corrupt GIF file can
	8	trigger an infinite loop. Furthermore we make sure that a GIF without
	9	any palette entries is treated as invalid after open palette entries
	10	have been removed.
	11
	12	Upstream-Status: Backport
	13	CVE: CVE-2018-5711
	14	Signed-off-by: Li Zhou <li.zhou@windriver.com>
	15	---
	16	ext/gd/libgd/gd_gif_in.c \| 10 +++++-----
	17	1 file changed, 5 insertions(+), 5 deletions(-)
	18
	19	diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
	20	index 76ba152..7156e4b 100644
	21	--- a/ext/gd/libgd/gd_gif_in.c
	22	+++ b/ext/gd/libgd/gd_gif_in.c
	23	@@ -261,10 +261,6 @@ terminated:
	24	if (!im) {
	25	return 0;
	26	}
	27	- if (!im->colorsTotal) {
	28	- gdImageDestroy(im);
	29	- return 0;
	30	- }
	31	/* Check for open colors at the end, so
	32	we can reduce colorsTotal and ultimately
	33	BitsPerPixel */
	34	@@ -275,6 +271,10 @@ terminated:
	35	break;
	36	}
	37	}
	38	+ if (!im->colorsTotal) {
	39	+ gdImageDestroy(im);
	40	+ return 0;
	41	+ }
	42	return im;
	43	}
	44	/* }}} */
	45	@@ -375,7 +375,7 @@ static int
	46	GetCode_(gdIOCtx fd, CODE_STATIC_DATA scd, int code_size, int flag, int *ZeroDataBlockP)
	47	{
	48	int i, j, ret;
	49	- unsigned char count;
	50	+ int count;
	51
	52	if (flag) {
	53	scd->curbit = 0;
	54	--
	55	1.9.1
	56