equal
deleted
inserted
replaced
|
1 Fix for CVE-2014-2497 |
|
2 Patch: |
|
3 http://git.php.net/?p=php-src.git;a=patch;h=cf4753691dc55999373d1c576f62ecb298723420 |
|
4 Code: |
|
5 http://git.php.net/?p=php-src.git;a=commit;h=cf4753691dc55999373d1c576f62ecb298723420 |
|
6 Verified by hand that it patches the correct code |
|
7 but needed one slight tweak needing return instead of goto. |
|
8 |
|
9 |
|
10 diff --git a/ext/gd/libgd/gdxpm.c b/ext/gd/libgd/gdxpm.c |
|
11 index 73f86e5..b69414e 100644 |
|
12 --- a/ext/gd/libgd/gdxpm.c |
|
13 +++ b/ext/gd/libgd/gdxpm.c |
|
14 @@ -31,12 +31,17 @@ gdImagePtr gdImageCreateFromXpm (char *filename) |
|
15 if (ret != XpmSuccess) { |
|
16 return 0; |
|
17 } |
|
18 + number = image.ncolors; |
|
19 + for(i = 0; i < number; i++) { |
|
20 + if (!image.colorTable[i].c_color) { |
|
21 + return 0; |
|
22 + } |
|
23 + } |
|
24 |
|
25 if (!(im = gdImageCreate(image.width, image.height))) { |
|
26 return 0; |
|
27 } |
|
28 |
|
29 - number = image.ncolors; |
|
30 colors = (int *) safe_emalloc(number, sizeof(int), 0); |
|
31 for (i = 0; i < number; i++) { |
|
32 switch (strlen (image.colorTable[i].c_color)) { |