20192108 problem in UTILITY/PHP
20231115 problem in UTILITY/PHP
20936509 problem in UTILITY/PHP
20804024 problem in UTILITY/PHP
20804061 problem in UTILITY/PHP
20804135 problem in UTILITY/PHP
20804363 problem in UTILITY/PHP
20804424 problem in UTILITY/PHP
20433657 problem in UTILITY/PHP
20803998 problem in UTILITY/PHP
20804391 problem in UTILITY/PHP
CVE-2014-9709
Community BUG:
https://bugs.php.net/bug.php?id=68601
Community CODE:
http://git.php.net/?p=php-src.git;a=commit;h=afbf725e7380dfb3ff43a993e43abd9759a66c2b
Below is the community patch.
diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
index ee88a2f..491e942 100644
--- a/ext/gd/libgd/gd_gif_in.c
+++ b/ext/gd/libgd/gd_gif_in.c
@@ -72,8 +72,10 @@ static struct {
#define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
+#define CSD_BUF_SIZE 280
+
typedef struct {
- unsigned char buf[280];
+ unsigned char buf[CSD_BUF_SIZE];
int curbit, lastbit, done, last_byte;
} CODE_STATIC_DATA;
@@ -400,7 +402,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD
ret = 0;
for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)
- ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j;
+ if (i < CSD_BUF_SIZE * 8) {
+ ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
+ } else {
+ ret = -1;
+ break;
+ }
scd->curbit += code_size;
return ret;