iliaa Tue Jun 3 19:23:22 2003 EDT
Modified files:
/php4/ext/gd/libgd gd_gd2.c gd_jpeg.c
Log:
Integer overflow checks.
Index: php4/ext/gd/libgd/gd_gd2.c
diff -u php4/ext/gd/libgd/gd_gd2.c:1.12 php4/ext/gd/libgd/gd_gd2.c:1.13
--- php4/ext/gd/libgd/gd_gd2.c:1.12 Sat Apr 5 12:23:55 2003
+++ php4/ext/gd/libgd/gd_gd2.c Tue Jun 3 19:23:21 2003
@@ -139,6 +139,9 @@
nc = (*ncx) * (*ncy);
GD2_DBG(php_gd_error("Reading %d chunk index entries\n", nc));
sidx = sizeof(t_chunk_info) * nc;
+ if (sidx <= 0) {
+ goto fail1;
+ }
cidx = gdCalloc(sidx, 1);
for (i = 0; i < nc; i++) {
if (gdGetInt(&cidx[i].offset, in) != 1) {
@@ -272,6 +275,9 @@
/* Allocate buffers */
chunkMax = cs * bytesPerPixel * cs;
+ if (chunkMax <= 0) {
+ return 0;
+ }
chunkBuf = gdCalloc(chunkMax, 1);
compBuf = gdCalloc(compMax, 1);
@@ -447,6 +453,10 @@
} else {
chunkMax = cs * cs;
}
+ if (chunkMax <= 0) {
+ goto fail2;
+ }
+
chunkBuf = gdCalloc(chunkMax, 1);
compBuf = gdCalloc(compMax, 1);
}
@@ -659,7 +669,11 @@
compMax = (int)(cs * bytesPerPixel * cs * 1.02f) + 12;
/* Allocate the buffers. */
- chunkData = gdCalloc(cs * bytesPerPixel * cs, 1);
+ chunkData = safe_emalloc(cs * bytesPerPixel, cs, 0);
+ memset(chunkData, 0, cs * bytesPerPixel * cs);
+ if (compMax <= 0) {
+ goto fail;
+ }
compData = gdCalloc(compMax, 1);
/* Save the file position of chunk index, and allocate enough space for
@@ -670,7 +684,8 @@
GD2_DBG(php_gd_error("Index size is %d\n", idxSize));
gdSeek(out, idxPos + idxSize);
- chunkIdx = gdCalloc(idxSize * sizeof(t_chunk_info), 1);
+ chunkIdx = safe_emalloc(idxSize, sizeof(t_chunk_info), 0);
+ memset(chunkIdx, 0, idxSize * sizeof(t_chunk_info));
}
_gdPutColors (im, out);
@@ -754,7 +769,7 @@
}
gdSeek(out, posSave);
}
-
+fail:
GD2_DBG(php_gd_error("Freeing memory\n"));
if (chunkData) {
gdFree(chunkData);
Index: php4/ext/gd/libgd/gd_jpeg.c
diff -u php4/ext/gd/libgd/gd_jpeg.c:1.12 php4/ext/gd/libgd/gd_jpeg.c:1.13
--- php4/ext/gd/libgd/gd_jpeg.c:1.12 Tue Apr 8 03:36:58 2003
+++ php4/ext/gd/libgd/gd_jpeg.c Tue Jun 3 19:23:21 2003
@@ -144,7 +144,8 @@
jpeg_gdIOCtx_dest (&cinfo, outfile);
- row = (JSAMPROW) gdCalloc (1, cinfo.image_width * cinfo.input_components *
sizeof (JSAMPLE));
+ row = (JSAMPROW) safe_emalloc(cinfo.image_width * cinfo.input_components,
sizeof(JSAMPLE), 0);
+ memset(row, 0, cinfo.image_width * cinfo.input_components * sizeof(JSAMPLE));
rowptr[0] = row;
jpeg_start_compress (&cinfo, TRUE);
@@ -310,7 +311,8 @@
goto error;
#endif /* BITS_IN_JSAMPLE == 12 */
- row = gdCalloc (cinfo.output_width * 3, sizeof (JSAMPLE));
+ row = safe_emalloc(cinfo.output_width * 3, sizeof(JSAMPLE), 0);
+ memset(row, 0, cinfo.output_width * 3 * sizeof(JSAMPLE));
rowptr[0] = row;
for (i = 0; i < cinfo.output_height; i++) {
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
