php
diff --git a/‎ext/gd/libgd/gd_gd2.c
Lines changed: 10 additions & 2 deletions b/‎ext/gd/libgd/gd_gd2.c
Lines changed: 10 additions & 2 deletions
diff --git a/‎ext/gd/tests/bug73868.gd2
1.03 KB b/‎ext/gd/tests/bug73868.gd2
1.03 KB
diff --git a/‎ext/gd/tests/bug73868.phpt
Lines changed: 18 additions & 0 deletions b/‎ext/gd/tests/bug73868.phpt
Lines changed: 18 additions & 0 deletions
diff --git a/‎ext/gd/tests/bug73869.phpt
Lines changed: 19 additions & 0 deletions b/‎ext/gd/tests/bug73869.phpt
Lines changed: 19 additions & 0 deletions
diff --git a/‎ext/gd/tests/bug73869a.gd2
92 Bytes b/‎ext/gd/tests/bug73869a.gd2
92 Bytes
diff --git a/‎ext/gd/tests/bug73869b.gd2
18 Bytes b/‎ext/gd/tests/bug73869b.gd2
18 Bytes
@@ -136,6 +136,10 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
 	GD2_DBG(php_gd_error("%d Chunks vertically", *ncy));
 
 	if (gd2_compressed(*fmt)) {
+		if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
+			GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
+			goto fail1;
+		}
 		nc = (*ncx) * (*ncy);
 		GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
 		if (overflow2(sizeof(t_chunk_info), nc)) {
@@ -340,12 +344,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
 					for (x = xlo; x < xhi; x++) {
 						if (im->trueColor) {
 							if (!gdGetInt(&im->tpixels[y][x], in)) {
-								im->tpixels[y][x] = 0;
+								php_gd_error("gd2: EOF while reading\n");
+								gdImageDestroy(im);
+								return NULL;
 							}
 						} else {
 							int ch;
 							if (!gdGetByte(&ch, in)) {
-								ch = 0;
+								php_gd_error("gd2: EOF while reading\n");
+								gdImageDestroy(im);
+								return NULL;
 							}
 							im->pixels[y][x] = ch;
 						}
 
@@ -0,0 +1,18 @@
+--TEST--
+Bug 73868 (DOS vulnerability in gdImageCreateFromGd2Ctx())
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73868.gd2'));
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromgd2(): gd2: EOF while reading
+ in %s on line %d
+
+Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
+bool(false)
+===DONE===
@@ -0,0 +1,19 @@
+--TEST--
+Bug #73869 (Signed Integer Overflow gd_io.c)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73869a.gd2'));
+var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73869b.gd2'));
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
+bool(false)
+
+Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
+bool(false)
+===DONE===