iliaa Tue Jun 3 19:23:25 2003 EDT Modified files: (Branch: PHP_4_3) /php4/ext/gd/libgd gd_gd2.c gd_jpeg.c Log: MFH: Integer overflow checks. Index: php4/ext/gd/libgd/gd_gd2.c diff -u php4/ext/gd/libgd/gd_gd2.c:1.4.2.3 php4/ext/gd/libgd/gd_gd2.c:1.4.2.4 --- php4/ext/gd/libgd/gd_gd2.c:1.4.2.3 Sat Apr 5 12:24:15 2003 +++ php4/ext/gd/libgd/gd_gd2.c Tue Jun 3 19:23:25 2003 @@ -140,6 +140,9 @@ nc = (*ncx) * (*ncy); GD2_DBG(php_gd_error("Reading %d chunk index entries\n", nc)); sidx = sizeof(t_chunk_info) * nc; + if (sidx <= 0) { + goto fail1; + } cidx = gdCalloc(sidx, 1); for (i = 0; i < nc; i++) { if (gdGetInt(&cidx[i].offset, in) != 1) { @@ -273,6 +276,9 @@ /* Allocate buffers */ chunkMax = cs * bytesPerPixel * cs; + if (chunkMax <= 0) { + return 0; + } chunkBuf = gdCalloc(chunkMax, 1); compBuf = gdCalloc(compMax, 1); @@ -448,6 +454,10 @@ } else { chunkMax = cs * cs; } + if (chunkMax <= 0) { + goto fail2; + } + chunkBuf = gdCalloc(chunkMax, 1); compBuf = gdCalloc(compMax, 1); } @@ -660,7 +670,11 @@ compMax = (int)(cs * bytesPerPixel * cs * 1.02f) + 12; /* Allocate the buffers. */ - chunkData = gdCalloc(cs * bytesPerPixel * cs, 1); + chunkData = safe_emalloc(cs * bytesPerPixel, cs, 0); + memset(chunkData, 0, cs * bytesPerPixel * cs); + if (compMax <= 0) { + goto fail; + } compData = gdCalloc(compMax, 1); /* Save the file position of chunk index, and allocate enough space for @@ -671,7 +685,8 @@ GD2_DBG(php_gd_error("Index size is %d\n", idxSize)); gdSeek(out, idxPos + idxSize); - chunkIdx = gdCalloc(idxSize * sizeof(t_chunk_info), 1); + chunkIdx = safe_emalloc(idxSize, sizeof(t_chunk_info), 0); + memset(chunkIdx, 0, idxSize * sizeof(t_chunk_info)); } _gdPutColors (im, out); @@ -755,7 +770,7 @@ } gdSeek(out, posSave); } - +fail: GD2_DBG(php_gd_error("Freeing memory\n")); if (chunkData) { gdFree(chunkData); Index: php4/ext/gd/libgd/gd_jpeg.c diff -u php4/ext/gd/libgd/gd_jpeg.c:1.4.2.3 php4/ext/gd/libgd/gd_jpeg.c:1.4.2.4 --- php4/ext/gd/libgd/gd_jpeg.c:1.4.2.3 Wed Apr 9 22:11:20 2003 +++ php4/ext/gd/libgd/gd_jpeg.c Tue Jun 3 19:23:25 2003 @@ -144,7 +144,8 @@ jpeg_gdIOCtx_dest (&cinfo, outfile); - row = (JSAMPROW) gdCalloc (1, cinfo.image_width * cinfo.input_components * sizeof (JSAMPLE)); + row = (JSAMPROW) safe_emalloc(cinfo.image_width * cinfo.input_components, sizeof(JSAMPLE), 0); + memset(row, 0, cinfo.image_width * cinfo.input_components * sizeof(JSAMPLE)); rowptr[0] = row; jpeg_start_compress (&cinfo, TRUE); @@ -310,7 +311,8 @@ goto error; #endif /* BITS_IN_JSAMPLE == 12 */ - row = gdCalloc (cinfo.output_width * 3, sizeof (JSAMPLE)); + row = safe_emalloc(cinfo.output_width * 3, sizeof(JSAMPLE), 0); + memset(row, 0, cinfo.output_width * 3 * sizeof(JSAMPLE)); rowptr[0] = row; for (i = 0; i < cinfo.output_height; i++) {
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php