From e83404fea21be29cd3138302011773e70d1fcc3d Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Tue, 3 Jun 2003 23:57:59 +0000
Subject: [PATCH] GD stuff

---
 NEWS           |  2 ++
 TODO_SEGFAULTS | 29 ++++++-----------------------
 2 files changed, 8 insertions(+), 23 deletions(-)

diff --git a/NEWS b/NEWS
index 96130ff195..f91fb95ece 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,8 @@ PHP 4                                                                      NEWS
 - Added long options into CLI & CGI (e.g. --version). (Marcus)
 - Fixed ext/yaz to not log unless yaz.log_file is set. (Adam Dickmeiss)
 - Fixed ext/exif to honor "magic_quotes_runtime" php.ini option. (Marcus)
+- Synchronized bundled GD library with GD 2.0.14. (Ilia)
+- Added integer overflow checks to bundled GD library. (Ilia)
 - Fixed bug #23913 (make rename() work across partitions on *nix). (Ilia)
 - Fixed bug #23912 (Invalid CSS in phpinfo() output). (Ilia)
 - Fixed bug #23902 (NULL in CGI header output). (Shane)
diff --git a/TODO_SEGFAULTS b/TODO_SEGFAULTS
index 58b70ce2b9..05256ff37c 100644
--- a/TODO_SEGFAULTS
+++ b/TODO_SEGFAULTS
@@ -15,6 +15,7 @@ Fixed:
     str_repeat (Ilia)
     imagecopyresized (Ilia)
     mhash_keygen_s2k (Ilia)
+    bundled gd (Ilia)
     mb_ereg, mb_ereg_match, mb_eregi, mb_split (Moriyoshi)
     xml_parser_create (Moriyoshi)
     ob_start (Sascha)
@@ -31,9 +32,8 @@ Open:
     socket_select               (3)
     php_imagepolygon            (4)
     imagesetstyle               (5)
-    bundled gd                  (6)
-    php_base64_encode		(8)
-    pack			(9)
+    php_base64_encode		(6)
+    pack			(7)
 	
 (1) heap corruption, mostly visible in malloc-related calls.  Whether you see 
     this or not might depend on your libc/compiler.  Hard to track down,
@@ -83,26 +83,9 @@ Methodology
     gdImageSetStyle function called by this php wrapper can die for the
     same reason.  
 
-(6) multiple integer overflows that can occur when trying to allocate a buffer
-    for a new image. Affected functions:
-    gdImageCreateFromJpegCtx
-    readwbmp
-    gdImageCreateFromXpm
-    gdImageCreateFromPngCtx
-    gdImagePngCtx
-    gdImageCreateFromJpegCtx
-    gdImageJpegCtx
-    gdImageCreateFromGd2Ctx
-    gdImageCreateFromGd2PartCtx
-    _gdImageGd2
-    GetDataBlock (gd_gif_in.c)
-
-(7) few possible integer overflows, once safe_emalloc() or something similar
-    is implemented they can all be addressed.
-
-(8) integer overflow if the specified string is longer then ~1.1 billion bytes.
-
-(9) multiple integer overflows, ex. pack("d4294967297", 2);
+(6) integer overflow if the specified string is longer then ~1.1 billion bytes.
+
+(7) multiple integer overflows, ex. pack("d4294967297", 2);
 
 Ammendment 1.
 
-- 
2.50.1