From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 19 Jun 2019 13:50:52 +0000 (+0200)
Subject: imageloadfont: Perform overflow check before calculation
X-Git-Tag: php-7.4.0alpha2~51^2~3
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=88b603768f8e5074ad5cbdccc1e0779089fac9d0;p=php

imageloadfont: Perform overflow check before calculation

Instead of afterwards...
---

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index eb6a3fcca9..1ae52c663e 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1443,6 +1443,13 @@ PHP_FUNCTION(imageloadfont)
 	body_size_check = php_stream_tell(stream) - hdr_size;
 	php_stream_seek(stream, i, SEEK_SET);
 
+	if (overflow2(font->nchars, font->h) || overflow2(font->nchars * font->h, font->w )) {
+		php_error_docref(NULL, E_WARNING, "Error reading font, invalid font header");
+		efree(font);
+		php_stream_close(stream);
+		RETURN_FALSE;
+	}
+
 	body_size = font->w * font->h * font->nchars;
 	if (body_size != body_size_check) {
 		font->w = FLIPWORD(font->w);
@@ -1451,13 +1458,6 @@ PHP_FUNCTION(imageloadfont)
 		body_size = font->w * font->h * font->nchars;
 	}
 
-	if (overflow2(font->nchars, font->h) || overflow2(font->nchars * font->h, font->w )) {
-		php_error_docref(NULL, E_WARNING, "Error reading font, invalid font header");
-		efree(font);
-		php_stream_close(stream);
-		RETURN_FALSE;
-	}
-
 	if (body_size != body_size_check) {
 		php_error_docref(NULL, E_WARNING, "Error reading font");
 		efree(font);