equal
deleted
inserted
replaced
1 CVE-2014-9709 |
|
2 Community BUG: |
|
3 https://bugs.php.net/bug.php?id=68601 |
|
4 Community CODE: |
|
5 http://git.php.net/?p=php-src.git;a=commit;h=afbf725e7380dfb3ff43a993e43abd9759a66c2b |
|
6 Below is the community patch. |
|
7 |
|
8 |
|
9 diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c |
|
10 index ee88a2f..491e942 100644 |
|
11 --- a/ext/gd/libgd/gd_gif_in.c |
|
12 +++ b/ext/gd/libgd/gd_gif_in.c |
|
13 @@ -72,8 +72,10 @@ static struct { |
|
14 |
|
15 #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2) |
|
16 |
|
17 +#define CSD_BUF_SIZE 280 |
|
18 + |
|
19 typedef struct { |
|
20 - unsigned char buf[280]; |
|
21 + unsigned char buf[CSD_BUF_SIZE]; |
|
22 int curbit, lastbit, done, last_byte; |
|
23 } CODE_STATIC_DATA; |
|
24 |
|
25 @@ -400,7 +402,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD |
|
26 |
|
27 ret = 0; |
|
28 for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) |
|
29 - ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j; |
|
30 + if (i < CSD_BUF_SIZE * 8) { |
|
31 + ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; |
|
32 + } else { |
|
33 + ret = -1; |
|
34 + break; |
|
35 + } |
|
36 |
|
37 scd->curbit += code_size; |
|
38 return ret; |
|