From: Ilia Alshanetsky <iliaa@php.net>
Date: Tue, 3 Jun 2003 23:23:21 +0000 (+0000)
Subject: Integer overflow checks.
X-Git-Tag: RELEASE_1_0_2~445
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7a35766dec2f34fc3953be6b386e7510f8cb355a;p=php

Integer overflow checks.
---

diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index 80fb2b8a96..5034afec60 100644
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -139,6 +139,9 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
 		nc = (*ncx) * (*ncy);
 		GD2_DBG(php_gd_error("Reading %d chunk index entries\n", nc));
 		sidx = sizeof(t_chunk_info) * nc;
+		if (sidx <= 0) {
+			goto fail1;
+		}
 		cidx = gdCalloc(sidx, 1);
 		for (i = 0; i < nc; i++) {
 			if (gdGetInt(&cidx[i].offset, in) != 1) {
@@ -272,6 +275,9 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
 
 		/* Allocate buffers */
 		chunkMax = cs * bytesPerPixel * cs;
+		if (chunkMax <= 0) {
+			return 0;
+		}
 		chunkBuf = gdCalloc(chunkMax, 1);
 		compBuf = gdCalloc(compMax, 1);
 		
@@ -447,6 +453,10 @@ gdImagePtr gdImageCreateFromGd2PartCtx (gdIOCtx * in, int srcx, int srcy, int w,
 		} else {
 			chunkMax = cs * cs;
 		}
+		if (chunkMax <= 0) {
+			goto fail2;
+		}
+		
 		chunkBuf = gdCalloc(chunkMax, 1);
 		compBuf = gdCalloc(compMax, 1);
 	}
@@ -659,7 +669,11 @@ static void _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
 		compMax = (int)(cs * bytesPerPixel * cs * 1.02f) + 12;
 
 		/* Allocate the buffers.  */
-		chunkData = gdCalloc(cs * bytesPerPixel * cs, 1);
+		chunkData = safe_emalloc(cs * bytesPerPixel, cs, 0);
+		memset(chunkData, 0, cs * bytesPerPixel * cs);
+		if (compMax <= 0) {
+			goto fail;		
+		}
 		compData = gdCalloc(compMax, 1);
 
 		/* Save the file position of chunk index, and allocate enough space for
@@ -670,7 +684,8 @@ static void _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
 		GD2_DBG(php_gd_error("Index size is %d\n", idxSize));
 		gdSeek(out, idxPos + idxSize);
 
-		chunkIdx = gdCalloc(idxSize * sizeof(t_chunk_info), 1);
+		chunkIdx = safe_emalloc(idxSize, sizeof(t_chunk_info), 0);
+		memset(chunkIdx, 0, idxSize * sizeof(t_chunk_info));
 	}
 
 	_gdPutColors (im, out);
@@ -754,7 +769,7 @@ static void _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
 		}
 		gdSeek(out, posSave);
 	}
-
+fail:
 	GD2_DBG(php_gd_error("Freeing memory\n"));
 	if (chunkData) {
 		gdFree(chunkData);
diff --git a/ext/gd/libgd/gd_jpeg.c b/ext/gd/libgd/gd_jpeg.c
index 8fe30108f8..0f0211c4b5 100644
--- a/ext/gd/libgd/gd_jpeg.c
+++ b/ext/gd/libgd/gd_jpeg.c
@@ -144,7 +144,8 @@ void gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
 
 	jpeg_gdIOCtx_dest (&cinfo, outfile);
 
-	row = (JSAMPROW) gdCalloc (1, cinfo.image_width * cinfo.input_components * sizeof (JSAMPLE));
+	row = (JSAMPROW) safe_emalloc(cinfo.image_width * cinfo.input_components, sizeof(JSAMPLE), 0);
+	memset(row, 0, cinfo.image_width * cinfo.input_components * sizeof(JSAMPLE));
 	rowptr[0] = row;
 
 	jpeg_start_compress (&cinfo, TRUE);
@@ -310,7 +311,8 @@ gdImagePtr gdImageCreateFromJpegCtx (gdIOCtx * infile)
 	goto error;
 #endif /* BITS_IN_JSAMPLE == 12 */
 
-	row = gdCalloc (cinfo.output_width * 3, sizeof (JSAMPLE));
+	row = safe_emalloc(cinfo.output_width * 3, sizeof(JSAMPLE), 0);
+	memset(row, 0, cinfo.output_width * 3 * sizeof(JSAMPLE));
 	rowptr[0] = row;
 
 	for (i = 0; i < cinfo.output_height; i++) {