tony2001 Wed Jun 6 09:45:43 2007 UTC Modified files: (Branch: PHP_5_2) /php-src NEWS /php-src/ext/gd/libgd gd.c /php-src/ext/gd gd.c Log: MFH: fix several integer overflows in GD http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.762&r2=1.2027.2.547.2.763&diff_format=u Index: php-src/NEWS diff -u php-src/NEWS:1.2027.2.547.2.762 php-src/NEWS:1.2027.2.547.2.763 --- php-src/NEWS:1.2027.2.547.2.762 Wed Jun 6 08:35:44 2007 +++ php-src/NEWS Wed Jun 6 09:45:43 2007 @@ -7,6 +7,8 @@ GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) +- Fixed several integer overflows in bundled GD library reported by + Mattias Bengtsson. (Tony) - Fixed PECL bug #11216 (crash in ZipArchive::addEmptyDir when a directory already exists). (Pierre) - Fixed bug #41608 (segfault on a weird code with objects and switch()). http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd.c?r1=1.90.2.1.2.11&r2=1.90.2.1.2.12&diff_format=u Index: php-src/ext/gd/libgd/gd.c diff -u php-src/ext/gd/libgd/gd.c:1.90.2.1.2.11 php-src/ext/gd/libgd/gd.c:1.90.2.1.2.12 --- php-src/ext/gd/libgd/gd.c:1.90.2.1.2.11 Sat Apr 14 17:33:15 2007 +++ php-src/ext/gd/libgd/gd.c Wed Jun 6 09:45:43 2007 @@ -120,6 +120,15 @@ { int i; gdImagePtr im; + + if (overflow2(sx, sy)) { + return NULL; + } + + if (overflow2(sizeof(unsigned char *), sy)) { + return NULL; + } + im = (gdImage *) gdMalloc(sizeof(gdImage)); memset(im, 0, sizeof(gdImage)); /* Row-major ever since gd 1.3 */ @@ -162,6 +171,19 @@ { int i; gdImagePtr im; + + if (overflow2(sx, sy)) { + return NULL; + } + + if (overflow2(sizeof(unsigned char *), sy)) { + return NULL; + } + + if (overflow2(sizeof(int), sx)) { + return NULL; + } + im = (gdImage *) gdMalloc(sizeof(gdImage)); memset(im, 0, sizeof(gdImage)); im->tpixels = (int **) gdMalloc(sizeof(int *) * sy); @@ -2404,6 +2426,14 @@ int *stx, *sty; /* We only need to use floating point to determine the correct stretch vector for one line's worth. */ double accum; + + if (overflow2(sizeof(int), srcW)) { + return; + } + if (overflow2(sizeof(int), srcH)) { + return; + } + stx = (int *) gdMalloc (sizeof (int) * srcW); sty = (int *) gdMalloc (sizeof (int) * srcH); accum = 0; @@ -3195,6 +3225,10 @@ return; } + if (overflow2(sizeof(int), n)) { + return; + } + if (c == gdAntiAliased) { fill_color = im->AA_color; } else { @@ -3209,6 +3243,9 @@ while (im->polyAllocated < n) { im->polyAllocated *= 2; } + if (overflow2(sizeof(int), im->polyAllocated)) { + return; + } im->polyInts = (int *) gdRealloc(im->polyInts, sizeof(int) * im->polyAllocated); } miny = p[0].y; http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.28&r2=1.312.2.20.2.29&diff_format=u Index: php-src/ext/gd/gd.c diff -u php-src/ext/gd/gd.c:1.312.2.20.2.28 php-src/ext/gd/gd.c:1.312.2.20.2.29 --- php-src/ext/gd/gd.c:1.312.2.20.2.28 Sun Jun 3 17:46:18 2007 +++ php-src/ext/gd/gd.c Wed Jun 6 09:45:43 2007 @@ -18,7 +18,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: gd.c,v 1.312.2.20.2.28 2007/06/03 17:46:18 pajoye Exp $ */ +/* $Id: gd.c,v 1.312.2.20.2.29 2007/06/06 09:45:43 tony2001 Exp $ */ /* gd 1.2 is copyright 1994, 1995, Quest Protein Database Center, Cold Spring Harbor Labs. */ @@ -1740,6 +1740,10 @@ im = gdImageCreateTrueColor(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size)); + if (!im) { + RETURN_FALSE; + } + ZEND_REGISTER_RESOURCE(return_value, im, le_gd); } /* }}} */ @@ -2350,6 +2354,10 @@ im = gdImageCreate(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size)); + if (!im) { + RETURN_FALSE; + } + ZEND_REGISTER_RESOURCE(return_value, im, le_gd); } /* }}} */
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php