Home Explore Help
Sign In
SoftwareDesign
/
csu3_am335x
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
csu3_am335x
/
EVSE
/
GPL
/
php-8.1.12
/
ext
/
gd
/
tests
/
bug72339.phpt

bug72339.phpt 1.1 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940 
  1. --TEST--
    2. 

  2. Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
    3. 

  3. --EXTENSIONS--
    4. 

  4. gd
    5. 

  5. --SKIPIF--
    6. 

  6. <?php
    7. 

  7. if (!function_exists("imagecreatefromgd2")) print "skip";
    8. 

  8. if (!GD_BUNDLED && version_compare(GD_VERSION, '2.2.2', '<')) {
    9. 

  9.     die("skip test requires GD 2.2.2 or higher");
    10. 

  10. }
    11. 

  11. ?>
    12. 

  12. --FILE--
    13. 

  13. <?php
    14. 

  14. $fname = __DIR__ . DIRECTORY_SEPARATOR . "bug72339.gd";
    15. 

  15. 

  16. $fh = fopen($fname, "w");
    17. 

  17. fwrite($fh, "gd2\x00");
    18. 

  18. fwrite($fh, pack("n", 2));
    19. 

  19. fwrite($fh, pack("n", 1));
    20. 

  20. fwrite($fh, pack("n", 1));
    21. 

  21. fwrite($fh, pack("n", 0x40));
    22. 

  22. fwrite($fh, pack("n", 2));
    23. 

  23. fwrite($fh, pack("n", 0x5AA0)); // Chunks Wide
    24. 

  24. fwrite($fh, pack("n", 0x5B00)); // Chunks Vertically
    25. 

  25. fwrite($fh, str_repeat("\x41\x41\x41\x41", 0x1000000)); // overflow data
    26. 

  26. fclose($fh);
    27. 

  27. 

  28. $im = imagecreatefromgd2($fname);
    29. 

  29. 

  30. if ($im) {
    31. 

  31.     imagedestroy($im);
    32. 

  32. }
    33. 

  33. unlink($fname);
    34. 

  34. 

  35. ?>
    36. 

  36. --EXPECTF--
    37. 

  37. Warning: imagecreatefromgd2(): Product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
    38. 

  38.  in %sbug72339.php on line %d
    39. 

  39. 

  40. Warning: imagecreatefromgd2(): "%sbug72339.gd" is not a valid GD2 file in %sbug72339.php on line %d
    41.