archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-18 15:08:55 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

MFH: fix several integer overflows in GD

Browse source
This commit is contained in:
Antony Dovgal 2007-06-06 09:45:43 +00:00
parent 2374641e58
commit 8853804482
3 changed files with 47 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
NEWS
View file

@ -7,6 +7,8 @@ PHP NEWS
GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre)
- Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com,
Tony) Tony)
- Fixed several integer overflows in bundled GD library reported by
Mattias Bengtsson. (Tony)
- Fixed PECL bug #11216 (crash in ZipArchive::addEmptyDir when a directory - Fixed PECL bug #11216 (crash in ZipArchive::addEmptyDir when a directory
already exists). (Pierre) already exists). (Pierre)
- Fixed bug #41608 (segfault on a weird code with objects and switch()). - Fixed bug #41608 (segfault on a weird code with objects and switch()).

8
ext/gd/gd.c
View file

@ -1740,6 +1740,10 @@ PHP_FUNCTION(imagecreatetruecolor)
im = gdImageCreateTrueColor(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size)); im = gdImageCreateTrueColor(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size));
if (!im) {
RETURN_FALSE;
}
ZEND_REGISTER_RESOURCE(return_value, im, le_gd); ZEND_REGISTER_RESOURCE(return_value, im, le_gd);
} }
/* }}} */ /* }}} */
@ -2350,6 +2354,10 @@ PHP_FUNCTION(imagecreate)
im = gdImageCreate(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size)); im = gdImageCreate(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size));
if (!im) {
RETURN_FALSE;
}
ZEND_REGISTER_RESOURCE(return_value, im, le_gd); ZEND_REGISTER_RESOURCE(return_value, im, le_gd);
} }
/* }}} */ /* }}} */

37
ext/gd/libgd/gd.c
View file

@ -120,6 +120,15 @@ gdImagePtr gdImageCreate (int sx, int sy)
{ {
int i; int i;
gdImagePtr im; gdImagePtr im;
if (overflow2(sx, sy)) {
return NULL;
}
if (overflow2(sizeof(unsigned char *), sy)) {
return NULL;
}
im = (gdImage *) gdMalloc(sizeof(gdImage)); im = (gdImage *) gdMalloc(sizeof(gdImage));
memset(im, 0, sizeof(gdImage)); memset(im, 0, sizeof(gdImage));
/* Row-major ever since gd 1.3 */ /* Row-major ever since gd 1.3 */
@ -162,6 +171,19 @@ gdImagePtr gdImageCreateTrueColor (int sx, int sy)
{ {
int i; int i;
gdImagePtr im; gdImagePtr im;
if (overflow2(sx, sy)) {
return NULL;
}
if (overflow2(sizeof(unsigned char *), sy)) {
return NULL;
}
if (overflow2(sizeof(int), sx)) {
return NULL;
}
im = (gdImage *) gdMalloc(sizeof(gdImage)); im = (gdImage *) gdMalloc(sizeof(gdImage));
memset(im, 0, sizeof(gdImage)); memset(im, 0, sizeof(gdImage));
im->tpixels = (int **) gdMalloc(sizeof(int *) * sy); im->tpixels = (int **) gdMalloc(sizeof(int *) * sy);
@ -2404,6 +2426,14 @@ void gdImageCopyResized (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int
int *stx, *sty; int *stx, *sty;
/* We only need to use floating point to determine the correct stretch vector for one line's worth. */ /* We only need to use floating point to determine the correct stretch vector for one line's worth. */
double accum; double accum;
if (overflow2(sizeof(int), srcW)) {
return;
}
if (overflow2(sizeof(int), srcH)) {
return;
}
stx = (int *) gdMalloc (sizeof (int) * srcW); stx = (int *) gdMalloc (sizeof (int) * srcW);
sty = (int *) gdMalloc (sizeof (int) * srcH); sty = (int *) gdMalloc (sizeof (int) * srcH);
accum = 0; accum = 0;
@ -3195,6 +3225,10 @@ void gdImageFilledPolygon (gdImagePtr im, gdPointPtr p, int n, int c)
return; return;
} }
if (overflow2(sizeof(int), n)) {
return;
}
if (c == gdAntiAliased) { if (c == gdAntiAliased) {
fill_color = im->AA_color; fill_color = im->AA_color;
} else { } else {
@ -3209,6 +3243,9 @@ void gdImageFilledPolygon (gdImagePtr im, gdPointPtr p, int n, int c)
while (im->polyAllocated < n) { while (im->polyAllocated < n) {
im->polyAllocated *= 2; im->polyAllocated *= 2;
} }
if (overflow2(sizeof(int), im->polyAllocated)) {
return;
}
im->polyInts = (int *) gdRealloc(im->polyInts, sizeof(int) * im->polyAllocated); im->polyInts = (int *) gdRealloc(im->polyInts, sizeof(int) * im->polyAllocated);
} }
miny = p[0].y; miny = p[0].y;