Integer overflow checks.

diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index 80fb2b8a96052382115d12dcb10feb57cea60497..5034afec60a417c2aa7273868e003102bbabffa3 100644 (file)
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -139,6 +139,9 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
                nc = (*ncx) * (*ncy);
                GD2_DBG(php_gd_error("Reading %d chunk index entries\n", nc));
                sidx = sizeof(t_chunk_info) * nc;
+               if (sidx <= 0) {
+                       goto fail1;
+               }
                cidx = gdCalloc(sidx, 1);
                for (i = 0; i < nc; i++) {
                        if (gdGetInt(&cidx[i].offset, in) != 1) {
@@ -272,6 +275,9 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
 
                /* Allocate buffers */
                chunkMax = cs * bytesPerPixel * cs;
+               if (chunkMax <= 0) {
+                       return 0;
+               }
                chunkBuf = gdCalloc(chunkMax, 1);
                compBuf = gdCalloc(compMax, 1);
                
@@ -447,6 +453,10 @@ gdImagePtr gdImageCreateFromGd2PartCtx (gdIOCtx * in, int srcx, int srcy, int w,
                } else {
                        chunkMax = cs * cs;
                }
+               if (chunkMax <= 0) {
+                       goto fail2;
+               }
+               
                chunkBuf = gdCalloc(chunkMax, 1);
                compBuf = gdCalloc(compMax, 1);
        }
@@ -659,7 +669,11 @@ static void _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
                compMax = (int)(cs * bytesPerPixel * cs * 1.02f) + 12;
 
                /* Allocate the buffers.  */
-               chunkData = gdCalloc(cs * bytesPerPixel * cs, 1);
+               chunkData = safe_emalloc(cs * bytesPerPixel, cs, 0);
+               memset(chunkData, 0, cs * bytesPerPixel * cs);
+               if (compMax <= 0) {
+                       goto fail;              
+               }
                compData = gdCalloc(compMax, 1);
 
                /* Save the file position of chunk index, and allocate enough space for
@@ -670,7 +684,8 @@ static void _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
                GD2_DBG(php_gd_error("Index size is %d\n", idxSize));
                gdSeek(out, idxPos + idxSize);
 
-               chunkIdx = gdCalloc(idxSize * sizeof(t_chunk_info), 1);
+               chunkIdx = safe_emalloc(idxSize, sizeof(t_chunk_info), 0);
+               memset(chunkIdx, 0, idxSize * sizeof(t_chunk_info));
        }
 
        _gdPutColors (im, out);
@@ -754,7 +769,7 @@ static void _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
                }
                gdSeek(out, posSave);
        }
-
+fail:
        GD2_DBG(php_gd_error("Freeing memory\n"));
        if (chunkData) {
                gdFree(chunkData);

diff --git a/ext/gd/libgd/gd_jpeg.c b/ext/gd/libgd/gd_jpeg.c
index 8fe30108f8f2adfa76f079eefecf1b70f51d2b36..0f0211c4b5d5658968ff1259e29d626aa6c9e296 100644 (file)
--- a/ext/gd/libgd/gd_jpeg.c
+++ b/ext/gd/libgd/gd_jpeg.c
@@ -144,7 +144,8 @@ void gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
 
        jpeg_gdIOCtx_dest (&cinfo, outfile);
 
-       row = (JSAMPROW) gdCalloc (1, cinfo.image_width * cinfo.input_components * sizeof (JSAMPLE));
+       row = (JSAMPROW) safe_emalloc(cinfo.image_width * cinfo.input_components, sizeof(JSAMPLE), 0);
+       memset(row, 0, cinfo.image_width * cinfo.input_components * sizeof(JSAMPLE));
        rowptr[0] = row;
 
        jpeg_start_compress (&cinfo, TRUE);
@@ -310,7 +311,8 @@ gdImagePtr gdImageCreateFromJpegCtx (gdIOCtx * infile)
        goto error;
 #endif /* BITS_IN_JSAMPLE == 12 */
 
-       row = gdCalloc (cinfo.output_width * 3, sizeof (JSAMPLE));
+       row = safe_emalloc(cinfo.output_width * 3, sizeof(JSAMPLE), 0);
+       memset(row, 0, cinfo.output_width * 3 * sizeof(JSAMPLE));
        rowptr[0] = row;
 
        for (i = 0; i < cinfo.output_height; i++) {