iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in...

diff --git a/NEWS b/NEWS
index fffc443a7cf3ecdf72e7ceca01a16ccae458d360..6f1461c2f9e2975a4230f97cc7b7489607b47ed2 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -18,6 +18,8 @@ PHP                                                                        NEWS
   . Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in 
     heap overflow). (Pierre)
   . Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert). (Stas)
+  . Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting
+    in heap overflow). (Pierre)
 
 - mbstring:
    . Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (Stas)

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index 2c63aac4cd4a4ed1e613920b13bea49f628c47bf..4dad95ae3930bf1d225b604cdeed9200704fde7a 100644 (file)
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -133,6 +133,10 @@ gdImagePtr gdImageCreate (int sx, int sy)
                return NULL;
        }
 
+       if (overflow2(sizeof(unsigned char *), sx)) {
+               return NULL;
+       }
+
        im = (gdImage *) gdCalloc(1, sizeof(gdImage));
 
        /* Row-major ever since gd 1.3 */
@@ -1098,12 +1102,12 @@ void gdImageLine (gdImagePtr im, int x1, int y1, int x2, int y2, int color)
        int thick = im->thick;
 
        if (color == gdAntiAliased) {
-               /* 
+               /*
                   gdAntiAliased passed as color: use the much faster, much cheaper
                   and equally attractive gdImageAALine implementation. That
                   clips too, so don't clip twice.
                   */
-               gdImageAALine(im, x1, y1, x2, y2, im->AA_color); 
+               gdImageAALine(im, x1, y1, x2, y2, im->AA_color);
                return;
        }
 
@@ -1880,7 +1884,7 @@ void gdImageFill(gdImagePtr im, int x, int y, int nc)
                return;
        }
 
-       alphablending_bak = im->alphaBlendingFlag;      
+       alphablending_bak = im->alphaBlendingFlag;
        im->alphaBlendingFlag = 0;
 
        if (nc==gdTiled){
@@ -1892,7 +1896,7 @@ void gdImageFill(gdImagePtr im, int x, int y, int nc)
        wx2=im->sx;wy2=im->sy;
        oc = gdImageGetPixel(im, x, y);
        if (oc==nc || x<0 || x>wx2 || y<0 || y>wy2) {
-               im->alphaBlendingFlag = alphablending_bak;      
+               im->alphaBlendingFlag = alphablending_bak;
                return;
        }
 
@@ -1955,7 +1959,7 @@ skip:                     for (x++; x<=x2 && (gdImageGetPixel(im, x, y)!=oc); x++);
        efree(stack);
 
 done:
-       im->alphaBlendingFlag = alphablending_bak;      
+       im->alphaBlendingFlag = alphablending_bak;
 }
 
 static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
@@ -2061,7 +2065,7 @@ void gdImageRectangle (gdImagePtr im, int x1, int y1, int x2, int y2, int color)
 
                x1ul = x1 - half;
                y1ul = y1 - half;
-               
+
                x2lr = x2 + half;
                y2lr = y2 + half;
 
@@ -2259,7 +2263,7 @@ void gdImageCopyMerge (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int s
        int tox, toy;
        int ncR, ncG, ncB;
        toy = dstY;
-       
+
        for (y = srcY; y < (srcY + h); y++) {
                tox = dstX;
                for (x = srcX; x < (srcX + w); x++) {
@@ -2356,7 +2360,7 @@ void gdImageCopyResized (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int
        int colorMap[gdMaxColors];
        /* Stretch vectors */
        int *stx, *sty;
-       
+
        if (overflow2(sizeof(int), srcW)) {
                return;
        }
@@ -2901,7 +2905,7 @@ int gdAlphaBlend (int dst, int src) {
     src_weight = gdAlphaTransparent - src_alpha;
     dst_weight = (gdAlphaTransparent - dst_alpha) * src_alpha / gdAlphaMax;
     tot_weight = src_weight + dst_weight;
-    
+
 /* -------------------------------------------------------------------- */
 /*      What red, green and blue result values will we use?             */
 /* -------------------------------------------------------------------- */