iliaa Thu Apr 3 20:17:35 2003 EDT Modified files: (Branch: PHP_4_3) /php4 TODO_SEGFAULTS Log: Notes about various possible integer overflows in bundled gd library. Index: php4/TODO_SEGFAULTS diff -u php4/TODO_SEGFAULTS:1.1.2.24 php4/TODO_SEGFAULTS:1.1.2.25 --- php4/TODO_SEGFAULTS:1.1.2.24 Thu Apr 3 19:44:34 2003 +++ php4/TODO_SEGFAULTS Thu Apr 3 20:17:35 2003 @@ -29,6 +29,7 @@ socket_select (4) php_imagepolygon (5) imagesetstyle (6) + bundled gd (7) (1) heap corruption, mostly visible in malloc-related calls. Whether you see this or not might depend on your libc/compiler. Hard to track down, @@ -84,6 +85,20 @@ second argument * sizeof(int) result in an overflow. gdImageSetStyle function called by this php wrapper can die for the same reason. + +(7) multiple integer overflows that can occur when trying to allocate a buffer + for a new image. Affected functions: + gdImageCreateFromJpegCtx + readwbmp + gdImageCreateFromXpm + gdImageCreateFromPngCtx + gdImagePngCtx + gdImageCreateFromJpegCtx + gdImageJpegCtx + gdImageCreateFromGd2Ctx + gdImageCreateFromGd2PartCtx + _gdImageGd2 + GetDataBlock (gd_gif_in.c) Ammendment 1.
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php