Fix #73003: Integer Overflow in gdImageWebpCtx of gd_webp.c

We add the missing integer overflow check to avoid potential buffer overflows.

diff --git a/NEWS b/NEWS
index 63a6800ba76d6584622874b53c6bae57d07d883c..ef6cb570abc4907a374de50bf05252de1bff6938 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,8 @@ PHP                                                                        NEWS
     (cmb)
   . Fixed bug #50194 (imagettftext broken on transparent background w/o
     alphablending). (cmb)
+  . Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c). (trylab,
+    cmb)
 
 - Mbstring:
   . Fixed bug #72994 (mbc_to_code() out of bounds read). (Laruence, cmb)

diff --git a/ext/gd/libgd/gd_webp.c b/ext/gd/libgd/gd_webp.c
index bf9ac9dd0e1a4a27d78bf29fb294b525acd2cc8b..985187edc2607da26e26030e817be9366b986838 100644 (file)
--- a/ext/gd/libgd/gd_webp.c
+++ b/ext/gd/libgd/gd_webp.c
@@ -180,6 +180,15 @@ void gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quantization)
        /* Conversion to Y,U,V buffer */
     yuv_width = (width + 1) >> 1;
     yuv_height = (height + 1) >> 1;
+
+       if (overflow2(width, height)) {
+               return;
+       }
+       /* simplification possible, because WebP must not be larger than 16384**2 */
+       if (overflow2(width * height, 2 * sizeof(unsigned char))) {
+               return;
+       }
+
     yuv_nbytes = width * height + 2 * yuv_width * yuv_height;
 
     if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) {