iliaa Tue Jun 3 19:23:25 2003 EDT
Modified files: (Branch: PHP_4_3)
/php4/ext/gd/libgd gd_gd2.c gd_jpeg.c
Log:
MFH: Integer overflow checks.
Index: php4/ext/gd/libgd/gd_gd2.c
diff -u php4/ext/gd/libgd/gd_gd2.c:1.4.2.3 php4/ext/gd/libgd/gd_gd2.c:1.4.2.4
--- php4/ext/gd/libgd/gd_gd2.c:1.4.2.3 Sat Apr 5 12:24:15 2003
+++ php4/ext/gd/libgd/gd_gd2.c Tue Jun 3 19:23:25 2003
@@ -140,6 +140,9 @@
nc = (*ncx) * (*ncy);
GD2_DBG(php_gd_error("Reading %d chunk index entries\n", nc));
sidx = sizeof(t_chunk_info) * nc;
+ if (sidx <= 0) {
+ goto fail1;
+ }
cidx = gdCalloc(sidx, 1);
for (i = 0; i < nc; i++) {
if (gdGetInt(&cidx[i].offset, in) != 1) {
@@ -273,6 +276,9 @@
/* Allocate buffers */
chunkMax = cs * bytesPerPixel * cs;
+ if (chunkMax <= 0) {
+ return 0;
+ }
chunkBuf = gdCalloc(chunkMax, 1);
compBuf = gdCalloc(compMax, 1);
@@ -448,6 +454,10 @@
} else {
chunkMax = cs * cs;
}
+ if (chunkMax <= 0) {
+ goto fail2;
+ }
+
chunkBuf = gdCalloc(chunkMax, 1);
compBuf = gdCalloc(compMax, 1);
}
@@ -660,7 +670,11 @@
compMax = (int)(cs * bytesPerPixel * cs * 1.02f) + 12;
/* Allocate the buffers. */
- chunkData = gdCalloc(cs * bytesPerPixel * cs, 1);
+ chunkData = safe_emalloc(cs * bytesPerPixel, cs, 0);
+ memset(chunkData, 0, cs * bytesPerPixel * cs);
+ if (compMax <= 0) {
+ goto fail;
+ }
compData = gdCalloc(compMax, 1);
/* Save the file position of chunk index, and allocate enough space for
@@ -671,7 +685,8 @@
GD2_DBG(php_gd_error("Index size is %d\n", idxSize));
gdSeek(out, idxPos + idxSize);
- chunkIdx = gdCalloc(idxSize * sizeof(t_chunk_info), 1);
+ chunkIdx = safe_emalloc(idxSize, sizeof(t_chunk_info), 0);
+ memset(chunkIdx, 0, idxSize * sizeof(t_chunk_info));
}
_gdPutColors (im, out);
@@ -755,7 +770,7 @@
}
gdSeek(out, posSave);
}
-
+fail:
GD2_DBG(php_gd_error("Freeing memory\n"));
if (chunkData) {
gdFree(chunkData);
Index: php4/ext/gd/libgd/gd_jpeg.c
diff -u php4/ext/gd/libgd/gd_jpeg.c:1.4.2.3 php4/ext/gd/libgd/gd_jpeg.c:1.4.2.4
--- php4/ext/gd/libgd/gd_jpeg.c:1.4.2.3 Wed Apr 9 22:11:20 2003
+++ php4/ext/gd/libgd/gd_jpeg.c Tue Jun 3 19:23:25 2003
@@ -144,7 +144,8 @@
jpeg_gdIOCtx_dest (&cinfo, outfile);
- row = (JSAMPROW) gdCalloc (1, cinfo.image_width * cinfo.input_components *
sizeof (JSAMPLE));
+ row = (JSAMPROW) safe_emalloc(cinfo.image_width * cinfo.input_components,
sizeof(JSAMPLE), 0);
+ memset(row, 0, cinfo.image_width * cinfo.input_components * sizeof(JSAMPLE));
rowptr[0] = row;
jpeg_start_compress (&cinfo, TRUE);
@@ -310,7 +311,8 @@
goto error;
#endif /* BITS_IN_JSAMPLE == 12 */
- row = gdCalloc (cinfo.output_width * 3, sizeof (JSAMPLE));
+ row = safe_emalloc(cinfo.output_width * 3, sizeof(JSAMPLE), 0);
+ memset(row, 0, cinfo.output_width * 3 * sizeof(JSAMPLE));
rowptr[0] = row;
for (i = 0; i < cinfo.output_height; i++) {
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
