php: Security fix CVE-2016-1903

CVE-2016-1903 php: Out-of-bounds memory read via gdImageRotateInterpolated Signed-off-by: Armin Kuster <akuster@mvista.com>
author: Armin Kuster <akuster@mvista.com> 2016-02-01 08:31:05 -0800
committer: Martin Jansa <Martin.Jansa@gmail.com> 2016-02-10 15:08:20 +0100
commit: dc5634968b270dde250690609f0015f881db81f2 (patch)
tree: 161cdd979a4a4cf019bc7313366c16666e74e634 /meta-oe/recipes-devtools
parent: 889258fd3af69424edbb623a1ee11b6b8b5fc553 (diff)
download: meta-openembedded-dc5634968b270dde250690609f0015f881db81f2.tar.gz
2 files changed, 56 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2016-1903.patch b/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2016-1903.patch
new file mode 100644
index 000000000..a7c35fe43
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2016-1903.patch
@@ -0,0 +1,55 @@
+From 4b8394dd78571826ac66a69dc240c623f31d78f8 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 7 Dec 2015 23:30:49 -0800
+Subject: [PATCH] Fix bug #70976: fix boundary check on
+ gdImageRotateInterpolated
+Upstream-Status: Backport
+https://git.php.net/?p=php-src.git;a=commit;h=4b8394dd78571826ac66a69dc240c623f31d78f8
+CVE:  CVE-2016-1903
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ext/gd/libgd/gd_interpolation.c |  2 +-
+ ext/gd/tests/bug70976.phpt      | 13 +++++++++++++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+ create mode 100644 ext/gd/tests/bug70976.phpt
+diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c
+index f70169d..0f874ac 100644
+--- a/ext/gd/libgd/gd_interpolation.c
+++ b/ext/gd/libgd/gd_interpolation.c
+@@ -2162,7 +2162,7 @@ gdImagePtr gdImageRotateInterpolated(const gdImagePtr src, const float angle, in
+ {
+        const int angle_rounded = (int)floor(angle * 100);
+ 
+-       if (bgcolor < 0) {
+       if (bgcolor < 0 || bgcolor >= gdMaxColors) {
+                return NULL;
+        }
+ 
+diff --git a/ext/gd/tests/bug70976.phpt b/ext/gd/tests/bug70976.phpt
+new file mode 100644
+index 0000000..23af4ee
+--- /dev/null
+++ b/ext/gd/tests/bug70976.phpt
+@@ -0,0 +1,13 @@
+--TEST--
+Bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds)
+--SKIPIF--
+<?php
+       if(!extension_loaded('gd')){ die('skip gd extension not available'); }
+?>
+--FILE--
+<?php
+$img = imagerotate(imagecreate(1,1),45,0x7ffffff9);
+var_dump($img);
+?>
+--EXPECTF--
+bool(false)
+\ No newline at end of file
+-- 
+2.3.5
diff --git a/meta-oe/recipes-devtools/php/php_5.6.12.bb b/meta-oe/recipes-devtools/php/php_5.6.12.bb
index caa0867b0..bd9a5b601 100644
--- a/meta-oe/recipes-devtools/php/php_5.6.12.bb
+++ b/meta-oe/recipes-devtools/php/php_5.6.12.bb
@@ -3,6 +3,7 @@ require php.inc
 SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \
            file://CVE-2015-7803.patch \
            file://CVE-2015-7804.patch \
+            file://CVE-2016-1903.patch \
 "
 SRC_URI[md5sum] = "4578dee9d979114610a444bee263ed9b"
 SRC_URI[sha256sum] = "6f27104272af7b2a996f85e4100fac627630fbdaf39d7bd263f16cf529c8853a"
author	Armin Kuster <akuster@mvista.com>	2016-02-01 08:31:05 -0800
committer	Martin Jansa <Martin.Jansa@gmail.com>	2016-02-10 15:08:20 +0100
commit	dc5634968b270dde250690609f0015f881db81f2 (patch)
tree	161cdd979a4a4cf019bc7313366c16666e74e634 /meta-oe/recipes-devtools
parent	889258fd3af69424edbb623a1ee11b6b8b5fc553 (diff)
download	meta-openembedded-dc5634968b270dde250690609f0015f881db81f2.tar.gz

diff --git a/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2016-1903.patch b/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2016-1903.patch new file mode 100644 index 000000000..a7c35fe43 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php-5.6.12/CVE-2016-1903.patch
@@ -0,0 +1,55 @@
		1	From 4b8394dd78571826ac66a69dc240c623f31d78f8 Mon Sep 17 00:00:00 2001
		2	From: Stanislav Malyshev <stas@php.net>
		3	Date: Mon, 7 Dec 2015 23:30:49 -0800
		4	Subject: [PATCH] Fix bug #70976: fix boundary check on
		5	gdImageRotateInterpolated
		6
		7	Upstream-Status: Backport
		8
		9	https://git.php.net/?p=php-src.git;a=commit;h=4b8394dd78571826ac66a69dc240c623f31d78f8
		10
		11	CVE: CVE-2016-1903
		12	Signed-off-by: Armin Kuster <akuster@mvista.com>
		13
		14	---
		15	ext/gd/libgd/gd_interpolation.c \| 2 +-
		16	ext/gd/tests/bug70976.phpt \| 13 +++++++++++++
		17	2 files changed, 14 insertions(+), 1 deletion(-)
		18	create mode 100644 ext/gd/tests/bug70976.phpt
		19
		20	diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c
		21	index f70169d..0f874ac 100644
		22	--- a/ext/gd/libgd/gd_interpolation.c
		23	+++ b/ext/gd/libgd/gd_interpolation.c
		24	@@ -2162,7 +2162,7 @@ gdImagePtr gdImageRotateInterpolated(const gdImagePtr src, const float angle, in
		25	{
		26	const int angle_rounded = (int)floor(angle * 100);
		27
		28	- if (bgcolor < 0) {
		29	+ if (bgcolor < 0 \|\| bgcolor >= gdMaxColors) {
		30	return NULL;
		31	}
		32
		33	diff --git a/ext/gd/tests/bug70976.phpt b/ext/gd/tests/bug70976.phpt
		34	new file mode 100644
		35	index 0000000..23af4ee
		36	--- /dev/null
		37	+++ b/ext/gd/tests/bug70976.phpt
		38	@@ -0,0 +1,13 @@
		39	+--TEST--
		40	+Bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds)
		41	+--SKIPIF--
		42	+<?php
		43	+ if(!extension_loaded('gd')){ die('skip gd extension not available'); }
		44	+?>
		45	+--FILE--
		46	+<?php
		47	+$img = imagerotate(imagecreate(1,1),45,0x7ffffff9);
		48	+var_dump($img);
		49	+?>
		50	+--EXPECTF--
		51	+bool(false)
		52	\ No newline at end of file
		53	--
		54	2.3.5
		55


diff --git a/meta-oe/recipes-devtools/php/php_5.6.12.bb b/meta-oe/recipes-devtools/php/php_5.6.12.bb index caa0867b0..bd9a5b601 100644 --- a/meta-oe/recipes-devtools/php/php_5.6.12.bb +++ b/meta-oe/recipes-devtools/php/php_5.6.12.bb
@@ -3,6 +3,7 @@ require php.inc
3	SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \	3	SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \
4	file://CVE-2015-7803.patch \	4	file://CVE-2015-7803.patch \
5	file://CVE-2015-7804.patch \	5	file://CVE-2015-7804.patch \
		6	file://CVE-2016-1903.patch \
6	"	7	"
7	SRC_URI[md5sum] = "4578dee9d979114610a444bee263ed9b"	8	SRC_URI[md5sum] = "4578dee9d979114610a444bee263ed9b"
8	SRC_URI[sha256sum] = "6f27104272af7b2a996f85e4100fac627630fbdaf39d7bd263f16cf529c8853a"	9	SRC_URI[sha256sum] = "6f27104272af7b2a996f85e4100fac627630fbdaf39d7bd263f16cf529c8853a"