From: Remi Collet <remi@php.net>
Date: Mon, 6 May 2013 08:00:45 +0000 (+0200)
Subject: Revert removal of overflow2 use in gd.c
X-Git-Tag: php-5.5.0RC1~7
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9480de29db25982c75a7317ba779eec3d3847781;p=php

Revert removal of overflow2 use in gd.c
Function provided by gd_security with bundled libgd
Function provided by gd_compat with system libgd

This fix failed test imageloadfont_invalid.phpt
This test now also pass with system libgd
---

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index d463444120..d6d2848d41 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -57,9 +57,8 @@
 # include <X11/xpm.h>
 #endif
 
-#ifndef HAVE_GD_BUNDLED
 # include "gd_compat.h"
-#endif /* HAVE_GD_BUNDLED */
+
 
 static int le_gd, le_gd_font;
 #if HAVE_LIBT1
@@ -1468,9 +1467,7 @@ PHP_FUNCTION(imageloadfont)
 		body_size = font->w * font->h * font->nchars;
 	}
 
-	if ((font->nchars <= 0 || font->h <= 0 || font->w <= 0 ) || \
-		(font->nchars > INT_MAX / font->h) || \
-		(font->nchars * font->h > INT_MAX / font->w)) {
+	if (overflow2(font->nchars, font->h) || overflow2(font->nchars * font->h, font->w )) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header");
 		efree(font);
 		php_stream_close(stream);
diff --git a/ext/gd/gd_compat.c b/ext/gd/gd_compat.c
index 35b6457858..14538d401f 100644
--- a/ext/gd/gd_compat.c
+++ b/ext/gd/gd_compat.c
@@ -10,6 +10,7 @@
 #endif
 
 #include "gd_compat.h"
+#include <TSRM.h>
 
 #ifdef HAVE_GD_JPG
 int gdJpegGetVersionInt()
@@ -45,3 +46,18 @@ const char * gdPngGetVersionString()
 }
 #endif
 
+int overflow2(int a, int b)
+{
+	TSRMLS_FETCH();
+
+	if(a <= 0 || b <= 0) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully\n");
+		return 1;
+	}
+	if(a > INT_MAX / b) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
+		return 1;
+	}
+	return 0;
+}
+
diff --git a/ext/gd/gd_compat.h b/ext/gd/gd_compat.h
index ea812ea2c4..db757f5988 100644
--- a/ext/gd/gd_compat.h
+++ b/ext/gd/gd_compat.h
@@ -1,8 +1,14 @@
 #ifndef GD_COMPAT_H
 #define GD_COMPAT_H 1
 
+#ifndef HAVE_GD_BUNDLED
+/* from gd_compat.c */
 const char * gdPngGetVersionString();
 const char * gdJpegGetVersionString();
 int gdJpegGetVersionInt();
+#endif
+
+/* from gd_compat.c of libgd/gd_security.c */
+int overflow2(int a, int b);
 
 #endif /* GD_COMPAT_H */
diff --git a/ext/gd/tests/imageloadfont_invalid.phpt b/ext/gd/tests/imageloadfont_invalid.phpt
index 07bf150ac8..6cf0e336b6 100644
--- a/ext/gd/tests/imageloadfont_invalid.phpt
+++ b/ext/gd/tests/imageloadfont_invalid.phpt
@@ -3,7 +3,6 @@ imageloadfont() function crashes
 --SKIPIF--
 <?php 
 	if (!extension_loaded('gd')) die("skip gd extension not available\n"); 
-	if (!GD_BUNDLED) die('skip external GD libraries always fail');
 ?>
 --FILE--
 <?php