Bug 137249
Summary: | CAN-2004-0990 integer overflow in internal GD image library | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 3 | Reporter: | Josh Bressers <bressers> |
Component: | php | Assignee: | Joe Orton <jorton> |
Status: | CLOSED WORKSFORME | QA Contact: | David Lawrence <dkl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.0 | Keywords: | Security |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | public=20041026,impact=moderate | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-11-05 17:06:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Josh Bressers
2004-10-26 22:38:54 UTC
Unfortunately these days PHP includes a specially patched version of GD, switching to the system libgd drops various features. In fact, it's not unfortunate at all. The PHP libgd reimplements gdMalloc and friends using the PHP internal memory allocation functions safe_emalloc etc; these do check for integer overflow, and they also place a hard limit on the amount of RAM which can be consumed. This successfully catches the issues triggered by the test case referenced. I've been through the PHP libgd checking the places I checked in the real gd, and it everything looks safe. |