Notes about various possible integer overflows in bundled gd library.

author Ilia Alshanetsky <iliaa@php.net>

Fri, 4 Apr 2003 01:17:35 +0000 (01:17 +0000)

committer Ilia Alshanetsky <iliaa@php.net>

Fri, 4 Apr 2003 01:17:35 +0000 (01:17 +0000)
author Ilia Alshanetsky <iliaa@php.net>
Fri, 4 Apr 2003 01:17:35 +0000 (01:17 +0000)
committer Ilia Alshanetsky <iliaa@php.net>
Fri, 4 Apr 2003 01:17:35 +0000 (01:17 +0000)
diff --git a/TODO_SEGFAULTS b/TODO_SEGFAULTS

index d3e09eda0ed249374246e3f8cfd0703fa5201a63..04219430ff4e3c26b2cfd4c0d7f2fd249f7edcf7 100644 (file)
--- a/TODO_SEGFAULTS
+++ b/TODO_SEGFAULTS
@@ -29,6 +29,7 @@ Open:
      socket_select               (4)
      php_imagepolygon           (5)
      imagesetstyle              (6)
+    bundled gd                 (7)
         
  (1) heap corruption, mostly visible in malloc-related calls.  Whether you see 
      this or not might depend on your libc/compiler.  Hard to track down,
@@ -85,6 +86,20 @@ Methodology
      gdImageSetStyle function called by this php wrapper can die for the
      same reason.  
  
+(7) multiple integer overflows that can occur when trying to allocate a buffer
+    for a new image. Affected functions:
+    gdImageCreateFromJpegCtx
+    readwbmp
+    gdImageCreateFromXpm
+    gdImageCreateFromPngCtx
+    gdImagePngCtx
+    gdImageCreateFromJpegCtx
+    gdImageJpegCtx
+    gdImageCreateFromGd2Ctx
+    gdImageCreateFromGd2PartCtx
+    _gdImageGd2
+    GetDataBlock (gd_gif_in.c)
+
  Ammendment 1.
  
  CFLAGS='-O0 -g' \
author	Ilia Alshanetsky <iliaa@php.net>
	Fri, 4 Apr 2003 01:17:35 +0000 (01:17 +0000)
committer	Ilia Alshanetsky <iliaa@php.net>
	Fri, 4 Apr 2003 01:17:35 +0000 (01:17 +0000)