tony2001 Wed Jun 6 09:45:43 2007 UTC
Modified files: (Branch: PHP_5_2)
/php-src NEWS
/php-src/ext/gd/libgd gd.c
/php-src/ext/gd gd.c
Log:
MFH: fix several integer overflows in GD
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.762&r2=1.2027.2.547.2.763&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.762 php-src/NEWS:1.2027.2.547.2.763
--- php-src/NEWS:1.2027.2.547.2.762 Wed Jun 6 08:35:44 2007
+++ php-src/NEWS Wed Jun 6 09:45:43 2007
@@ -7,6 +7,8 @@
GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre)
- Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com,
Tony)
+- Fixed several integer overflows in bundled GD library reported by
+ Mattias Bengtsson. (Tony)
- Fixed PECL bug #11216 (crash in ZipArchive::addEmptyDir when a directory
already exists). (Pierre)
- Fixed bug #41608 (segfault on a weird code with objects and switch()).
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd.c?r1=1.90.2.1.2.11&r2=1.90.2.1.2.12&diff_format=u
Index: php-src/ext/gd/libgd/gd.c
diff -u php-src/ext/gd/libgd/gd.c:1.90.2.1.2.11
php-src/ext/gd/libgd/gd.c:1.90.2.1.2.12
--- php-src/ext/gd/libgd/gd.c:1.90.2.1.2.11 Sat Apr 14 17:33:15 2007
+++ php-src/ext/gd/libgd/gd.c Wed Jun 6 09:45:43 2007
@@ -120,6 +120,15 @@
{
int i;
gdImagePtr im;
+
+ if (overflow2(sx, sy)) {
+ return NULL;
+ }
+
+ if (overflow2(sizeof(unsigned char *), sy)) {
+ return NULL;
+ }
+
im = (gdImage *) gdMalloc(sizeof(gdImage));
memset(im, 0, sizeof(gdImage));
/* Row-major ever since gd 1.3 */
@@ -162,6 +171,19 @@
{
int i;
gdImagePtr im;
+
+ if (overflow2(sx, sy)) {
+ return NULL;
+ }
+
+ if (overflow2(sizeof(unsigned char *), sy)) {
+ return NULL;
+ }
+
+ if (overflow2(sizeof(int), sx)) {
+ return NULL;
+ }
+
im = (gdImage *) gdMalloc(sizeof(gdImage));
memset(im, 0, sizeof(gdImage));
im->tpixels = (int **) gdMalloc(sizeof(int *) * sy);
@@ -2404,6 +2426,14 @@
int *stx, *sty;
/* We only need to use floating point to determine the correct stretch
vector for one line's worth. */
double accum;
+
+ if (overflow2(sizeof(int), srcW)) {
+ return;
+ }
+ if (overflow2(sizeof(int), srcH)) {
+ return;
+ }
+
stx = (int *) gdMalloc (sizeof (int) * srcW);
sty = (int *) gdMalloc (sizeof (int) * srcH);
accum = 0;
@@ -3195,6 +3225,10 @@
return;
}
+ if (overflow2(sizeof(int), n)) {
+ return;
+ }
+
if (c == gdAntiAliased) {
fill_color = im->AA_color;
} else {
@@ -3209,6 +3243,9 @@
while (im->polyAllocated < n) {
im->polyAllocated *= 2;
}
+ if (overflow2(sizeof(int), im->polyAllocated)) {
+ return;
+ }
im->polyInts = (int *) gdRealloc(im->polyInts, sizeof(int) *
im->polyAllocated);
}
miny = p[0].y;
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.28&r2=1.312.2.20.2.29&diff_format=u
Index: php-src/ext/gd/gd.c
diff -u php-src/ext/gd/gd.c:1.312.2.20.2.28 php-src/ext/gd/gd.c:1.312.2.20.2.29
--- php-src/ext/gd/gd.c:1.312.2.20.2.28 Sun Jun 3 17:46:18 2007
+++ php-src/ext/gd/gd.c Wed Jun 6 09:45:43 2007
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: gd.c,v 1.312.2.20.2.28 2007/06/03 17:46:18 pajoye Exp $ */
+/* $Id: gd.c,v 1.312.2.20.2.29 2007/06/06 09:45:43 tony2001 Exp $ */
/* gd 1.2 is copyright 1994, 1995, Quest Protein Database Center,
Cold Spring Harbor Labs. */
@@ -1740,6 +1740,10 @@
im = gdImageCreateTrueColor(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size));
+ if (!im) {
+ RETURN_FALSE;
+ }
+
ZEND_REGISTER_RESOURCE(return_value, im, le_gd);
}
/* }}} */
@@ -2350,6 +2354,10 @@
im = gdImageCreate(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size));
+ if (!im) {
+ RETURN_FALSE;
+ }
+
ZEND_REGISTER_RESOURCE(return_value, im, le_gd);
}
/* }}} */
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
