[PHP-CVS] cvs: php-src /ext/gd gd.c /ext/gd/libgd gd.c

Wed, 06 Jun 2007 02:43:56 -0700 

tony2001                Wed Jun  6 09:43:39 2007 UTC

  Modified files:              
    /php-src/ext/gd/libgd       gd.c 
    /php-src/ext/gd     gd.c 
  Log:
  fix several integer overflows in GD
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd.c?r1=1.104&r2=1.105&diff_format=u
Index: php-src/ext/gd/libgd/gd.c
diff -u php-src/ext/gd/libgd/gd.c:1.104 php-src/ext/gd/libgd/gd.c:1.105
--- php-src/ext/gd/libgd/gd.c:1.104     Sat Apr 14 17:30:51 2007
+++ php-src/ext/gd/libgd/gd.c   Wed Jun  6 09:43:38 2007
@@ -120,6 +120,15 @@
 {
        int i;
        gdImagePtr im;
+
+       if (overflow2(sx, sy)) {
+               return NULL;
+       }
+
+       if (overflow2(sizeof(unsigned char *), sy)) {
+               return NULL;
+       }
+
        im = (gdImage *) gdMalloc(sizeof(gdImage));
        memset(im, 0, sizeof(gdImage));
        /* Row-major ever since gd 1.3 */
@@ -162,6 +171,19 @@
 {
        int i;
        gdImagePtr im;
+
+       if (overflow2(sx, sy)) {
+               return NULL;
+       }
+
+       if (overflow2(sizeof(unsigned char *), sy)) {
+               return NULL;
+       }
+       
+       if (overflow2(sizeof(int), sx)) {
+               return NULL;
+       }
+
        im = (gdImage *) gdMalloc(sizeof(gdImage));
        memset(im, 0, sizeof(gdImage));
        im->tpixels = (int **) gdMalloc(sizeof(int *) * sy);
@@ -2398,6 +2420,14 @@
        int *stx, *sty;
        /* We only need to use floating point to determine the correct stretch 
vector for one line's worth. */
        double accum;
+       
+       if (overflow2(sizeof(int), srcW)) {
+               return;
+       }
+       if (overflow2(sizeof(int), srcH)) {
+               return;
+       }
+
        stx = (int *) gdMalloc (sizeof (int) * srcW);
        sty = (int *) gdMalloc (sizeof (int) * srcH);
        accum = 0;
@@ -3189,6 +3219,10 @@
                return;
        }
 
+       if (overflow2(sizeof(int), n)) {
+               return;
+       }
+
        if (c == gdAntiAliased) {
                fill_color = im->AA_color;
        } else {
@@ -3203,6 +3237,9 @@
                while (im->polyAllocated < n) {
                        im->polyAllocated *= 2;
                }
+               if (overflow2(sizeof(int), im->polyAllocated)) {
+                       return;
+               }
                im->polyInts = (int *) gdRealloc(im->polyInts, sizeof(int) * 
im->polyAllocated);
        }
        miny = p[0].y;
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.377&r2=1.378&diff_format=u
Index: php-src/ext/gd/gd.c
diff -u php-src/ext/gd/gd.c:1.377 php-src/ext/gd/gd.c:1.378
--- php-src/ext/gd/gd.c:1.377   Sun Jun  3 17:43:13 2007
+++ php-src/ext/gd/gd.c Wed Jun  6 09:43:39 2007
@@ -18,7 +18,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: gd.c,v 1.377 2007/06/03 17:43:13 pajoye Exp $ */
+/* $Id: gd.c,v 1.378 2007/06/06 09:43:39 tony2001 Exp $ */
 
 /* gd 1.2 is copyright 1994, 1995, Quest Protein Database Center,
    Cold Spring Harbor Labs. */
@@ -1579,6 +1579,10 @@
 
        im = gdImageCreateTrueColor(x_size, y_size);
 
+       if (!im) {
+               RETURN_FALSE;
+       }
+
        ZEND_REGISTER_RESOURCE(return_value, im, le_gd);
 }
 /* }}} */
@@ -2128,6 +2132,10 @@
 
        im = gdImageCreate(x_size, y_size);
 
+       if (!im) {
+               RETURN_FALSE;
+       }
+
        ZEND_REGISTER_RESOURCE(return_value, im, le_gd);
 }
 /* }}} */

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to