1 CVE-2014-9709

     2 Community BUG:

     3 https://bugs.php.net/bug.php?id=68601

     4 Community CODE:

     5 http://git.php.net/?p=php-src.git;a=commit;h=afbf725e7380dfb3ff43a993e43abd9759a66c2b

     6 Below is the community patch.

     7 

     8 

     9 diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c

    10 index ee88a2f..491e942 100644

    11 --- a/ext/gd/libgd/gd_gif_in.c

    12 +++ b/ext/gd/libgd/gd_gif_in.c

    13 @@ -72,8 +72,10 @@ static struct {

    14  

    15  #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)

    16  

    17 +#define CSD_BUF_SIZE 280

    18 +

    19  typedef struct {

    20 -	unsigned char    buf[280];

    21 +	unsigned char    buf[CSD_BUF_SIZE];

    22  	int              curbit, lastbit, done, last_byte;

    23  } CODE_STATIC_DATA;

    24  

    25 @@ -400,7 +402,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD

    26  

    27  	ret = 0;

    28  	for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)

    29 -		ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j;

    30 +		if (i < CSD_BUF_SIZE * 8) {

    31 +			ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;

    32 +		} else {

    33 +			ret = -1;

    34 +			break;

    35 +		}

    36  

    37  	scd->curbit += code_size;

    38  	return ret;