File php-4.3.9-CVE-2006-4484.patch of Package php4

http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.2.2.2.6.1&r2=1.2.2.2.6.2&diff_format=u
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.2.2.2.6.2&r2=1.2.2.2.6.3&diff_format=u

--- php-4.3.9/ext/gd/libgd/gd_gif_in.c.cve4484
+++ php-4.3.9/ext/gd/libgd/gd_gif_in.c
@@ -147,7 +147,10 @@
        Background      = buf[5];
        AspectRatio     = buf[6];
 
-       if (BitSet(buf[4], LOCALCOLORMAP)) {    /* Global Colormap */
+		imw = LM_to_uint(buf[0],buf[1]);
+		imh = LM_to_uint(buf[2],buf[3]);
+
+ 		if (BitSet(buf[4], LOCALCOLORMAP)) {    /* Global Colormap */
                if (ReadColorMap(fd, BitPixel, ColorMap)) {
 			return 0;
 		}
@@ -182,16 +185,17 @@
 
                bitPixel = 1<<((buf[8]&0x07)+1);
 
-               imw = LM_to_uint(buf[4],buf[5]);
-               imh = LM_to_uint(buf[6],buf[7]);
+			   if (!useGlobalColormap) {
+				   if (ReadColorMap(fd, bitPixel, localColorMap)) {
+					   return 0;
+				   }
+			   }
+			   
 	       if (!(im = gdImageCreate(imw, imh))) {
 			 return 0;
 	       }
                im->interlace = BitSet(buf[8], INTERLACE);
                if (! useGlobalColormap) {
-                       if (ReadColorMap(fd, bitPixel, localColorMap)) { 
-                                 return 0;
-                       }
                        ReadImage(im, fd, imw, imh, localColorMap, 
                                  BitSet(buf[8], INTERLACE)); 
                                  /*1.4//imageCount != imageNumber); */
@@ -212,6 +216,12 @@
        if (!im) {
 		return 0;
        }
+
+		if (!im->colorsTotal) {
+			gdImageDestroy(im);
+			return 0;
+		}
+
        /* Check for open colors at the end, so
           we can reduce colorsTotal and ultimately
           BitsPerPixel */
@@ -502,6 +512,19 @@
        int             v;
        int             xpos = 0, ypos = 0, pass = 0;
        int i;
+
+	   /*
+		**  Initialize the Compression routines
+		*/
+	   if (! ReadOK(fd,&c,1)) {
+		   return;
+	   }
+
+	   if (c > MAX_LWZ_BITS) {
+		   return;	
+	   }
+
+
        /* Stash the color map into the image */
        for (i=0; (i<gdMaxColors); i++) {
                im->red[i] = cmap[CM_RED][i];	
@@ -511,12 +534,7 @@
        }
        /* Many (perhaps most) of these colors will remain marked open. */
        im->colorsTotal = gdMaxColors;
-       /*
-       **  Initialize the Compression routines
-       */
-       if (! ReadOK(fd,&c,1)) {
-               return; 
-       }
+
        if (LWZReadByte(fd, TRUE, c) < 0) {
                return;
        }