From: Ilia Alshanetsky <iliaa@php.net>
Date: Fri, 4 Apr 2003 01:17:35 +0000 (+0000)
Subject: Notes about various possible integer overflows in bundled gd library.
X-Git-Tag: php-4.3.2RC2~163
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=50f76f501c4c81bc5314a4139b4b38b64504807a;p=php

Notes about various possible integer overflows in bundled gd library.
---

diff --git a/TODO_SEGFAULTS b/TODO_SEGFAULTS
index d3e09eda0e..04219430ff 100644
--- a/TODO_SEGFAULTS
+++ b/TODO_SEGFAULTS
@@ -29,6 +29,7 @@ Open:
     socket_select               (4)
     php_imagepolygon		(5)
     imagesetstyle		(6)
+    bundled gd			(7)
 	
 (1) heap corruption, mostly visible in malloc-related calls.  Whether you see 
     this or not might depend on your libc/compiler.  Hard to track down,
@@ -85,6 +86,20 @@ Methodology
     gdImageSetStyle function called by this php wrapper can die for the
     same reason.  
 
+(7) multiple integer overflows that can occur when trying to allocate a buffer
+    for a new image. Affected functions:
+    gdImageCreateFromJpegCtx
+    readwbmp
+    gdImageCreateFromXpm
+    gdImageCreateFromPngCtx
+    gdImagePngCtx
+    gdImageCreateFromJpegCtx
+    gdImageJpegCtx
+    gdImageCreateFromGd2Ctx
+    gdImageCreateFromGd2PartCtx
+    _gdImageGd2
+    GetDataBlock (gd_gif_in.c)
+
 Ammendment 1.
 
 CFLAGS='-O0 -g' \