[security] [CVE-2018-5711] Sec Bug #75571: Potential infinite loop in gdImageCreateFromGifCtx

paulbiss · fredemmott · commit 2e4b6edb6a4e · 2018-05-03T12:30:21.000-07:00
CVE-2018-5711
diff --git a/hphp/runtime/ext/gd/libgd/gd_gif_in.cpp b/hphp/runtime/ext/gd/libgd/gd_gif_in.cpp
@@ -258,10 +258,6 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */
   if (!im) {
     return 0;
   }
-  if (!im->colorsTotal) {
-    gdImageDestroy(im);
-    return 0;
-  }
   /* Check for open colors at the end, so
      we can reduce colorsTotal and ultimately
      BitsPerPixel */
@@ -272,6 +268,10 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */
       break;
     }
   }
+  if (!im->colorsTotal) {
+    gdImageDestroy(im);
+    return 0;
+  }
   return im;
 }
 /* }}} */
@@ -372,7 +372,7 @@ static int
 GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
 {
   int           i, j, ret;
-  unsigned char count;
+  int           count;
 
   if (flag) {
     scd->curbit = 0;
diff --git a/hphp/test/zend/good/ext/gd/tests/bug75571.gif b/hphp/test/zend/good/ext/gd/tests/bug75571.gif
diff --git a/hphp/test/zend/good/ext/gd/tests/bug75571.php b/hphp/test/zend/good/ext/gd/tests/bug75571.php
@@ -0,0 +1,3 @@
+<?php
+var_dump(imagecreatefromgif(__DIR__ . '/bug75571.gif'));
+?>
diff --git a/hphp/test/zend/good/ext/gd/tests/bug75571.php.expectf b/hphp/test/zend/good/ext/gd/tests/bug75571.php.expectf
@@ -0,0 +1,3 @@
+Warning: '%s' is not a valid GIF file in %s on line %d
+bool(false)
+
diff --git a/hphp/test/zend/good/ext/gd/tests/bug75571.php.skipif b/hphp/test/zend/good/ext/gd/tests/bug75571.php.skipif
@@ -0,0 +1,3 @@
+<?php
+        if (!function_exists('imagetypes')) die("skip gd extension not available\n");
+?>

Original file line number	Diff line number	Diff line change
`@@ -258,10 +258,6 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */`
`258`	`258`	`if (!im) {`
`259`	`259`	`return 0;`
`260`	`260`	`}`
`261`		`- if (!im->colorsTotal) {`
`262`		`- gdImageDestroy(im);`
`263`		`- return 0;`
`264`		`- }`
`265`	`261`	`/* Check for open colors at the end, so`
`266`	`262`	`we can reduce colorsTotal and ultimately`
`267`	`263`	`BitsPerPixel */`
`@@ -272,6 +268,10 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */`
`272`	`268`	`break;`
`273`	`269`	`}`
`274`	`270`	`}`
	`271`	`+ if (!im->colorsTotal) {`
	`272`	`+ gdImageDestroy(im);`
	`273`	`+ return 0;`
	`274`	`+ }`
`275`	`275`	`return im;`
`276`	`276`	`}`
`277`	`277`	`/* }}} */`
`@@ -372,7 +372,7 @@ static int`
`372`	`372`	`GetCode_(gdIOCtx fd, CODE_STATIC_DATA scd, int code_size, int flag, int *ZeroDataBlockP)`
`373`	`373`	`{`
`374`	`374`	`int i, j, ret;`
`375`		`- unsigned char count;`
	`375`	`+ int count;`
`376`	`376`
`377`	`377`	`if (flag) {`
`378`	`378`	`scd->curbit = 0;`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+<?php`
	`2`	`+var_dump(imagecreatefromgif(__DIR__ . '/bug75571.gif'));`
	`3`	`+?>`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Warning: '%s' is not a valid GIF file in %s on line %d`
	`2`	`+bool(false)`
	`3`	`+`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+<?php`
	`2`	`+ if (!function_exists('imagetypes')) die("skip gd extension not available\n");`
	`3`	`+?>`