Fix #77973: Uninitialized read in gdImageCreateFromXbm

cmb69 · smalyshev · commit 3b14a5a75ad4 · 2019-06-05T22:41:46.000-07:00
We have to ensure that `sscanf()` does indeed read a hex value here,
and bail out otherwise.
diff --git a/ext/gd/libgd/xbm.c b/ext/gd/libgd/xbm.c
@@ -135,7 +135,11 @@ gdImagePtr gdImageCreateFromXbm(FILE * fd)
 			}
 			h[3] = ch;
 		}
-		sscanf(h, "%x", &b);
+		if (sscanf(h, "%x", &b) != 1) {
+			php_gd_error("invalid XBM");
+			gdImageDestroy(im);
+			return 0;
+		}
 		for (bit = 1; bit <= max_bit; bit = bit << 1) {
 			gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);
 			if (x == im->sx) {
diff --git a/ext/gd/tests/bug77973.phpt b/ext/gd/tests/bug77973.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Bug #77973 (Uninitialized read in gdImageCreateFromXbm)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die("skip gd extension not available");
+if (!function_exists('imagecreatefromxbm')) die("skip imagecreatefromxbm not available");
+?>
+--FILE--
+<?php
+$contents = hex2bin("23646566696e6520776964746820320a23646566696e652068656967687420320a737461746963206368617220626974735b5d203d7b0a7a7a787a7a");
+$filepath = __DIR__ . '/bug77973.xbm';
+file_put_contents($filepath, $contents);
+$im = imagecreatefromxbm($filepath);
+var_dump($im);
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromxbm(): invalid XBM in %s on line %d
+
+Warning: imagecreatefromxbm(): '%s' is not a valid XBM file in %s on line %d
+bool(false)
+===DONE===
+--CLEAN--
+<?php
+unlink(__DIR__ . '/bug77973.xbm');
+?>

Original file line number	Diff line number	Diff line change
`@@ -135,7 +135,11 @@ gdImagePtr gdImageCreateFromXbm(FILE * fd)`
`135`	`135`	`}`
`136`	`136`	`h[3] = ch;`
`137`	`137`	`}`
`138`		`- sscanf(h, "%x", &b);`
	`138`	`+ if (sscanf(h, "%x", &b) != 1) {`
	`139`	`+ php_gd_error("invalid XBM");`
	`140`	`+ gdImageDestroy(im);`
	`141`	`+ return 0;`
	`142`	`+ }`
`139`	`143`	`for (bit = 1; bit <= max_bit; bit = bit << 1) {`
`140`	`144`	`gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);`
`141`	`145`	`if (x == im->sx) {`