iliaa Tue Jun 3 19:57:59 2003 EDT Modified files: (Branch: PHP_4_3) /php4 TODO_SEGFAULTS NEWS Log: GD stuff Index: php4/TODO_SEGFAULTS diff -u php4/TODO_SEGFAULTS:1.1.2.32 php4/TODO_SEGFAULTS:1.1.2.33 --- php4/TODO_SEGFAULTS:1.1.2.32 Wed Apr 16 15:17:27 2003 +++ php4/TODO_SEGFAULTS Tue Jun 3 19:57:58 2003 @@ -15,6 +15,7 @@ str_repeat (Ilia) imagecopyresized (Ilia) mhash_keygen_s2k (Ilia) + bundled gd (Ilia) mb_ereg, mb_ereg_match, mb_eregi, mb_split (Moriyoshi) xml_parser_create (Moriyoshi) ob_start (Sascha) @@ -31,9 +32,8 @@ socket_select (3) php_imagepolygon (4) imagesetstyle (5) - bundled gd (6) - php_base64_encode (8) - pack (9) + php_base64_encode (6) + pack (7) (1) heap corruption, mostly visible in malloc-related calls. Whether you see this or not might depend on your libc/compiler. Hard to track down, @@ -83,26 +83,9 @@ gdImageSetStyle function called by this php wrapper can die for the same reason. -(6) multiple integer overflows that can occur when trying to allocate a buffer - for a new image. Affected functions: - gdImageCreateFromJpegCtx - readwbmp - gdImageCreateFromXpm - gdImageCreateFromPngCtx - gdImagePngCtx - gdImageCreateFromJpegCtx - gdImageJpegCtx - gdImageCreateFromGd2Ctx - gdImageCreateFromGd2PartCtx - _gdImageGd2 - GetDataBlock (gd_gif_in.c) +(6) integer overflow if the specified string is longer then ~1.1 billion bytes. -(7) few possible integer overflows, once safe_emalloc() or something similar - is implemented they can all be addressed. - -(8) integer overflow if the specified string is longer then ~1.1 billion bytes. - -(9) multiple integer overflows, ex. pack("d4294967297", 2); +(7) multiple integer overflows, ex. pack("d4294967297", 2); Ammendment 1. Index: php4/NEWS diff -u php4/NEWS:1.1247.2.235 php4/NEWS:1.1247.2.236 --- php4/NEWS:1.1247.2.235 Tue Jun 3 10:47:03 2003 +++ php4/NEWS Tue Jun 3 19:57:58 2003 @@ -17,6 +17,8 @@ - Added long options into CLI & CGI (e.g. --version). (Marcus) - Fixed ext/yaz to not log unless yaz.log_file is set. (Adam Dickmeiss) - Fixed ext/exif to honor "magic_quotes_runtime" php.ini option. (Marcus) +- Synchronized bundled GD library with GD 2.0.14. (Ilia) +- Added integer overflow checks to bundled GD library. (Ilia) - Fixed bug #23913 (make rename() work across partitions on *nix). (Ilia) - Fixed bug #23912 (Invalid CSS in phpinfo() output). (Ilia) - Fixed bug #23902 (NULL in CGI header output). (Shane)
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php