iliaa Thu Apr 3 20:17:35 2003 EDT
Modified files: (Branch: PHP_4_3)
/php4 TODO_SEGFAULTS
Log:
Notes about various possible integer overflows in bundled gd library.
Index: php4/TODO_SEGFAULTS
diff -u php4/TODO_SEGFAULTS:1.1.2.24 php4/TODO_SEGFAULTS:1.1.2.25
--- php4/TODO_SEGFAULTS:1.1.2.24 Thu Apr 3 19:44:34 2003
+++ php4/TODO_SEGFAULTS Thu Apr 3 20:17:35 2003
@@ -29,6 +29,7 @@
socket_select (4)
php_imagepolygon (5)
imagesetstyle (6)
+ bundled gd (7)
(1) heap corruption, mostly visible in malloc-related calls. Whether you see
this or not might depend on your libc/compiler. Hard to track down,
@@ -84,6 +85,20 @@
second argument * sizeof(int) result in an overflow.
gdImageSetStyle function called by this php wrapper can die for the
same reason.
+
+(7) multiple integer overflows that can occur when trying to allocate a buffer
+ for a new image. Affected functions:
+ gdImageCreateFromJpegCtx
+ readwbmp
+ gdImageCreateFromXpm
+ gdImageCreateFromPngCtx
+ gdImagePngCtx
+ gdImageCreateFromJpegCtx
+ gdImageJpegCtx
+ gdImageCreateFromGd2Ctx
+ gdImageCreateFromGd2PartCtx
+ _gdImageGd2
+ GetDataBlock (gd_gif_in.c)
Ammendment 1.
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
