[PHP-CVS] cvs: php4(PHP_4_3) / NEWS TODO_SEGFAULTS

Wed, 04 Jun 2003 10:04:55 -0700 

iliaa           Tue Jun  3 19:57:59 2003 EDT

  Modified files:              (Branch: PHP_4_3)
    /php4       TODO_SEGFAULTS NEWS 
  Log:
  GD stuff
  
  
Index: php4/TODO_SEGFAULTS
diff -u php4/TODO_SEGFAULTS:1.1.2.32 php4/TODO_SEGFAULTS:1.1.2.33
--- php4/TODO_SEGFAULTS:1.1.2.32        Wed Apr 16 15:17:27 2003
+++ php4/TODO_SEGFAULTS Tue Jun  3 19:57:58 2003
@@ -15,6 +15,7 @@
     str_repeat (Ilia)
     imagecopyresized (Ilia)
     mhash_keygen_s2k (Ilia)
+    bundled gd (Ilia)
     mb_ereg, mb_ereg_match, mb_eregi, mb_split (Moriyoshi)
     xml_parser_create (Moriyoshi)
     ob_start (Sascha)
@@ -31,9 +32,8 @@
     socket_select               (3)
     php_imagepolygon            (4)
     imagesetstyle               (5)
-    bundled gd                  (6)
-    php_base64_encode          (8)
-    pack                       (9)
+    php_base64_encode          (6)
+    pack                       (7)
        
 (1) heap corruption, mostly visible in malloc-related calls.  Whether you see 
     this or not might depend on your libc/compiler.  Hard to track down,
@@ -83,26 +83,9 @@
     gdImageSetStyle function called by this php wrapper can die for the
     same reason.  
 
-(6) multiple integer overflows that can occur when trying to allocate a buffer
-    for a new image. Affected functions:
-    gdImageCreateFromJpegCtx
-    readwbmp
-    gdImageCreateFromXpm
-    gdImageCreateFromPngCtx
-    gdImagePngCtx
-    gdImageCreateFromJpegCtx
-    gdImageJpegCtx
-    gdImageCreateFromGd2Ctx
-    gdImageCreateFromGd2PartCtx
-    _gdImageGd2
-    GetDataBlock (gd_gif_in.c)
+(6) integer overflow if the specified string is longer then ~1.1 billion bytes.
 
-(7) few possible integer overflows, once safe_emalloc() or something similar
-    is implemented they can all be addressed.
-
-(8) integer overflow if the specified string is longer then ~1.1 billion bytes.
-
-(9) multiple integer overflows, ex. pack("d4294967297", 2);
+(7) multiple integer overflows, ex. pack("d4294967297", 2);
 
 Ammendment 1.
 
Index: php4/NEWS
diff -u php4/NEWS:1.1247.2.235 php4/NEWS:1.1247.2.236
--- php4/NEWS:1.1247.2.235      Tue Jun  3 10:47:03 2003
+++ php4/NEWS   Tue Jun  3 19:57:58 2003
@@ -17,6 +17,8 @@
 - Added long options into CLI & CGI (e.g. --version). (Marcus)
 - Fixed ext/yaz to not log unless yaz.log_file is set. (Adam Dickmeiss)
 - Fixed ext/exif to honor "magic_quotes_runtime" php.ini option. (Marcus)
+- Synchronized bundled GD library with GD 2.0.14. (Ilia)
+- Added integer overflow checks to bundled GD library. (Ilia)
 - Fixed bug #23913 (make rename() work across partitions on *nix). (Ilia)
 - Fixed bug #23912 (Invalid CSS in phpinfo() output). (Ilia)
 - Fixed bug #23902 (NULL in CGI header output). (Shane)



-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to