fix several integer overflows in GD

author Antony Dovgal <tony2001@php.net>

Wed, 6 Jun 2007 09:43:39 +0000 (09:43 +0000)

committer Antony Dovgal <tony2001@php.net>

Wed, 6 Jun 2007 09:43:39 +0000 (09:43 +0000)
author Antony Dovgal <tony2001@php.net>
Wed, 6 Jun 2007 09:43:39 +0000 (09:43 +0000)
committer Antony Dovgal <tony2001@php.net>
Wed, 6 Jun 2007 09:43:39 +0000 (09:43 +0000)
diff --git a/ext/gd/gd.c b/ext/gd/gd.c

index 44e9c1c14851bb1285d05e1ef38ffe0121060397..9ba28b76d545aabb6e2f4430b6dbfb88124c0c86 100644 (file)
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1579,6 +1579,10 @@ PHP_FUNCTION(imagecreatetruecolor)
  
         im = gdImageCreateTrueColor(x_size, y_size);
  
+       if (!im) {
+               RETURN_FALSE;
+       }
+
         ZEND_REGISTER_RESOURCE(return_value, im, le_gd);
  }
  /* }}} */
@@ -2128,6 +2132,10 @@ PHP_FUNCTION(imagecreate)
  
         im = gdImageCreate(x_size, y_size);
  
+       if (!im) {
+               RETURN_FALSE;
+       }
+
         ZEND_REGISTER_RESOURCE(return_value, im, le_gd);
  }
  /* }}} */
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c

index ea4cdf7614ef84e5bd1a6e810e2592fb687c3051..00b5c99a7348c1fba3e8f2772410e8d107959d3c 100644 (file)
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -120,6 +120,15 @@ gdImagePtr gdImageCreate (int sx, int sy)
  {
         int i;
         gdImagePtr im;
+
+       if (overflow2(sx, sy)) {
+               return NULL;
+       }
+
+       if (overflow2(sizeof(unsigned char *), sy)) {
+               return NULL;
+       }
+
         im = (gdImage *) gdMalloc(sizeof(gdImage));
         memset(im, 0, sizeof(gdImage));
         /* Row-major ever since gd 1.3 */
@@ -162,6 +171,19 @@ gdImagePtr gdImageCreateTrueColor (int sx, int sy)
  {
         int i;
         gdImagePtr im;
+
+       if (overflow2(sx, sy)) {
+               return NULL;
+       }
+
+       if (overflow2(sizeof(unsigned char *), sy)) {
+               return NULL;
+       }
+       
+       if (overflow2(sizeof(int), sx)) {
+               return NULL;
+       }
+
         im = (gdImage *) gdMalloc(sizeof(gdImage));
         memset(im, 0, sizeof(gdImage));
         im->tpixels = (int **) gdMalloc(sizeof(int *) * sy);
@@ -2398,6 +2420,14 @@ void gdImageCopyResized (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int
         int *stx, *sty;
         /* We only need to use floating point to determine the correct stretch vector for one line's worth. */
         double accum;
+       
+       if (overflow2(sizeof(int), srcW)) {
+               return;
+       }
+       if (overflow2(sizeof(int), srcH)) {
+               return;
+       }
+
         stx = (int *) gdMalloc (sizeof (int) * srcW);
         sty = (int *) gdMalloc (sizeof (int) * srcH);
         accum = 0;
@@ -3189,6 +3219,10 @@ void gdImageFilledPolygon (gdImagePtr im, gdPointPtr p, int n, int c)
                 return;
         }
  
+       if (overflow2(sizeof(int), n)) {
+               return;
+       }
+
         if (c == gdAntiAliased) {
                 fill_color = im->AA_color;
         } else {
@@ -3203,6 +3237,9 @@ void gdImageFilledPolygon (gdImagePtr im, gdPointPtr p, int n, int c)
                 while (im->polyAllocated < n) {
                         im->polyAllocated *= 2;
                 }
+               if (overflow2(sizeof(int), im->polyAllocated)) {
+                       return;
+               }
                 im->polyInts = (int *) gdRealloc(im->polyInts, sizeof(int) * im->polyAllocated);
         }
         miny = p[0].y;
author	Antony Dovgal <tony2001@php.net>
	Wed, 6 Jun 2007 09:43:39 +0000 (09:43 +0000)
committer	Antony Dovgal <tony2001@php.net>
	Wed, 6 Jun 2007 09:43:39 +0000 (09:43 +0000)
ext/gd/gd.c		patch \| blob \| history
ext/gd/libgd/gd.c		patch \| blob \| history