MFH: fix several integer overflows in GD

diff --git a/NEWS b/NEWS
index eb7b462df1b1090fb69d324cc8461560c2deb49e..1030ad6d04d8c58159c797d5b2f6f302f4061fa1 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@ PHP                                                                        NEWS
   GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre)
 - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, 
   Tony)
+- Fixed several integer overflows in bundled GD library reported by 
+  Mattias Bengtsson. (Tony)
 - Fixed PECL bug #11216 (crash in ZipArchive::addEmptyDir when a directory 
   already exists). (Pierre)
 - Fixed bug #41608 (segfault on a weird code with objects and switch()). 

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 824e73a6da846b12249712287473245d71b8e5ae..834e2b7501e193604f33c37daf14f1f8a954b438 100644 (file)
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1740,6 +1740,10 @@ PHP_FUNCTION(imagecreatetruecolor)
 
        im = gdImageCreateTrueColor(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size));
 
+       if (!im) {
+               RETURN_FALSE;
+       }
+
        ZEND_REGISTER_RESOURCE(return_value, im, le_gd);
 }
 /* }}} */
@@ -2350,6 +2354,10 @@ PHP_FUNCTION(imagecreate)
 
        im = gdImageCreate(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size));
 
+       if (!im) {
+               RETURN_FALSE;
+       }
+
        ZEND_REGISTER_RESOURCE(return_value, im, le_gd);
 }
 /* }}} */

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index 4901594b70c3b91595dbee75be1340254d39d1c0..17d4594c846be42114bd0d3f21095efa16e149ae 100644 (file)
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -120,6 +120,15 @@ gdImagePtr gdImageCreate (int sx, int sy)
 {
        int i;
        gdImagePtr im;
+
+       if (overflow2(sx, sy)) {
+               return NULL;
+       }
+
+       if (overflow2(sizeof(unsigned char *), sy)) {
+               return NULL;
+       }
+
        im = (gdImage *) gdMalloc(sizeof(gdImage));
        memset(im, 0, sizeof(gdImage));
        /* Row-major ever since gd 1.3 */
@@ -162,6 +171,19 @@ gdImagePtr gdImageCreateTrueColor (int sx, int sy)
 {
        int i;
        gdImagePtr im;
+
+       if (overflow2(sx, sy)) {
+               return NULL;
+       }
+
+       if (overflow2(sizeof(unsigned char *), sy)) {
+               return NULL;
+       }
+       
+       if (overflow2(sizeof(int), sx)) {
+               return NULL;
+       }
+
        im = (gdImage *) gdMalloc(sizeof(gdImage));
        memset(im, 0, sizeof(gdImage));
        im->tpixels = (int **) gdMalloc(sizeof(int *) * sy);
@@ -2404,6 +2426,14 @@ void gdImageCopyResized (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int
        int *stx, *sty;
        /* We only need to use floating point to determine the correct stretch vector for one line's worth. */
        double accum;
+       
+       if (overflow2(sizeof(int), srcW)) {
+               return;
+       }
+       if (overflow2(sizeof(int), srcH)) {
+               return;
+       }
+
        stx = (int *) gdMalloc (sizeof (int) * srcW);
        sty = (int *) gdMalloc (sizeof (int) * srcH);
        accum = 0;
@@ -3195,6 +3225,10 @@ void gdImageFilledPolygon (gdImagePtr im, gdPointPtr p, int n, int c)
                return;
        }
 
+       if (overflow2(sizeof(int), n)) {
+               return;
+       }
+
        if (c == gdAntiAliased) {
                fill_color = im->AA_color;
        } else {
@@ -3209,6 +3243,9 @@ void gdImageFilledPolygon (gdImagePtr im, gdPointPtr p, int n, int c)
                while (im->polyAllocated < n) {
                        im->polyAllocated *= 2;
                }
+               if (overflow2(sizeof(int), im->polyAllocated)) {
+                       return;
+               }
                im->polyInts = (int *) gdRealloc(im->polyInts, sizeof(int) * im->polyAllocated);
        }
        miny = p[0].y;