CVE-2007-3996

Priority
Description
Multiple integer overflows in libgd in PHP before 5.2.4 allow remote
attackers to cause a denial of service (application crash) and possibly
execute arbitrary code via a large (1) srcW or (2) srcH value to the (a)
gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width)
value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function.
Notes
 jdstrand> note this is gdImageCreate and gdImageCreateTrueColor
 jdstrand> dapper-gutsy libgd2 are affected to varying degrees
 jdstrand> php5-gd segfaults on feisty and gutsy before patching libgd2,
  and dapper-gutsy segfault after (this is because feisty-gutsy had a partial
  fix already in libgd2). php5-gd is not handling the error condition when
  libgd2 fails properly. Verified that 5.2.4 works with patched libgd2.
Assigned-to
jdstrand
Package
Upstream:released (2.0.35)
More Information

Updated: 2019-03-19 11:43:11 UTC (commit 15472795df7e9de45b82f2d36b8b419b939f97b2)