[oe-commits] [meta-openembedded] 12/19: php: CVE-2016-9933
git at git.openembedded.org
git at git.openembedded.org
Fri Nov 17 01:52:13 UTC 2017
This is an automated email from the git hooks/post-receive script.
armin_kuster pushed a commit to branch akuster/morty-next
in repository meta-openembedded.
commit 4c57e20705c4b2afa1ae5ef6a1db3c18ddb6ce6c
Author: Thiruvadi Rajaraman <trajaraman at mvista.com>
AuthorDate: Fri Jul 7 19:11:10 2017 +0530
php: CVE-2016-9933
Source: php-src.git
MR: 70039
Type: Security Fix
Disposition: Backport from php-7.2.0
ChangeID: 7af5552e8c05decf9ea6de19c81ee4bf0037f56f
Description:
imagefilltoborder stackoverflow on truecolor images
We must not allow negative color values be passed to
gdImageFillToBorder(), because that can lead to infinite recursion
since the recursion termination condition will not necessarily be met.
Signed-off-by: Thiruvadi Rajaraman <trajaraman at mvista.com>
Reviewed-by: Armin Kuster <akuster at mvista.com>
Signed-off-by: Armin Kuster <akuster at mvista.com>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
.../php/php-5.6.26/CVE-2016-9933.patch | 42 ++++++++++++++++++++++
meta-oe/recipes-devtools/php/php_5.6.26.bb | 1 +
2 files changed, 43 insertions(+)
diff --git a/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9933.patch b/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9933.patch
new file mode 100644
index 0000000..0d5a9d2
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9933.patch
@@ -0,0 +1,42 @@
+Fix #72696: imagefilltoborder stackoverflow on truecolor images
+
+We must not allow negative color values be passed to
+gdImageFillToBorder(), because that can lead to infinite recursion
+since the recursion termination condition will not necessarily be met.
+
+Upstream-status: Backport
+
+CVE: CVE-2016-9933
+Signed-off-by: Thiruvadi Rajaraman <trajaraman at mvista.com>
+Index: php-5.6.26/ext/gd/libgd/gd.c
+===================================================================
+--- php-5.6.26.orig/ext/gd/libgd/gd.c 2016-09-16 02:32:50.000000000 +0530
++++ php-5.6.26/ext/gd/libgd/gd.c 2017-07-07 18:18:38.079721713 +0530
+@@ -1780,7 +1780,7 @@
+ int leftLimit = -1, rightLimit;
+ int i, restoreAlphaBlending = 0;
+
+- if (border < 0) {
++ if (border < 0 || color < 0) {
+ /* Refuse to fill to a non-solid border */
+ return;
+ }
+Index: php-5.6.26/ext/gd/tests/bug72696.phpt
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ php-5.6.26/ext/gd/tests/bug72696.phpt 2017-07-07 18:19:16.939987470 +0530
+@@ -0,0 +1,14 @@
++--TEST--
++Bug #72696 (imagefilltoborder stackoverflow on truecolor images)
++--SKIPIF--
++<?php
++if (!extension_loaded('gd')) die('skip gd extension not available');
++?>
++--FILE--
++<?php
++$im = imagecreatetruecolor(10, 10);
++imagefilltoborder($im, 0, 0, 1, -2);
++?>
++===DONE===
++--EXPECT--
++===DONE===
diff --git a/meta-oe/recipes-devtools/php/php_5.6.26.bb b/meta-oe/recipes-devtools/php/php_5.6.26.bb
index 741c825..a10d2a6 100644
--- a/meta-oe/recipes-devtools/php/php_5.6.26.bb
+++ b/meta-oe/recipes-devtools/php/php_5.6.26.bb
@@ -6,6 +6,7 @@ SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \
file://CVE-2016-9137.patch \
file://CVE-2016-9934.patch \
file://CVE-2016-9935.patch \
+ file://CVE-2016-9933.patch \
"
SRC_URI[md5sum] = "cb424b705cfb715fc04f499f8a8cf52e"
SRC_URI[sha256sum] = "d47aab8083a4284b905777e1b45dd7735adc53be827b29f896684750ac8b6236"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list