Fix #72709: imagesetstyle() causes OOB read for empty $styles

cmb69 · cmb69 · commit f5622f5c8763 · 2016-08-02T18:43:37.000+02:00
Calling imagesetstyle() with an empty $styles array caused gdImageSetStyle()
to be called with `noOfPixels==0`, what could have lead to OOB reads.
Actually, this issue will be fixed in libgd, but to avoid issues when older
libgd is in use, we simply disallow passing an empty $styles array to
imagesetstyle(), what wouldn't serve a useful purpose anyway.
diff --git a/NEWS b/NEWS
@@ -42,6 +42,7 @@ PHP                                                                        NEWS
     blendingmode). (cmb)
   . Fixed bug #66555 (Always false condition in ext/gd/libgd/gdkanji.c). (cmb)
   . Fixed bug #68712 (suspicious if-else statements). (cmb)
+  . Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles). (cmb)
 
 - Intl:
   . Partially fixed #72506 (idn_to_ascii for UTS #46 incorrect for long domain
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
@@ -1555,15 +1555,22 @@ PHP_FUNCTION(imagesetstyle)
 	int * stylearr;
 	int index;
 	HashPosition pos;
+    int num_styles;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ra", &IM, &styles) == FAILURE)  {
 		return;
 	}
 
 	ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd);
 
+    num_styles = zend_hash_num_elements(HASH_OF(styles));
+    if (num_styles == 0) {
+        php_error_docref(NULL, E_WARNING, "styles array must not be empty");
+        RETURN_FALSE;
+    }
+
 	/* copy the style values in the stylearr */
-	stylearr = safe_emalloc(sizeof(int), zend_hash_num_elements(HASH_OF(styles)), 0);
+	stylearr = safe_emalloc(sizeof(int), num_styles, 0);
 
 	zend_hash_internal_pointer_reset_ex(HASH_OF(styles), &pos);
 
diff --git a/ext/gd/tests/bug72709.phpt b/ext/gd/tests/bug72709.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #72709 (imagesetstyle() causes OOB read for empty $styles)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip ext/gd not available');
+?>
+--FILE--
+<?php
+$im = imagecreatetruecolor(1, 1);
+var_dump(imagesetstyle($im, array()));
+imagesetpixel($im, 0, 0, IMG_COLOR_STYLED);
+imagedestroy($im);
+?>
+====DONE====
+--EXPECTF--
+Warning: imagesetstyle(): styles array must not be empty in %s%ebug72709.php on line %d
+bool(false)
+====DONE====
