MFH: fix several integer overflows in GD

2025-08-18 15:08:55 +02:00 · 2007-06-06 09:45:43 +00:00 · 2007-06-06 09:45:43 +00:00 · 8853804482
commit 8853804482
parent 2374641e58
3 changed files with 47 additions and 0 deletions
--- a/2
+++ b/2
@ -7,6 +7,8 @@ PHP                                                                        NEWS
  GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre)
 - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, 
  Tony)
+- Fixed several integer overflows in bundled GD library reported by 
+  Mattias Bengtsson. (Tony)
 - Fixed PECL bug #11216 (crash in ZipArchive::addEmptyDir when a directory 
  already exists). (Pierre)
 - Fixed bug #41608 (segfault on a weird code with objects and switch()). 
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@ -1740,6 +1740,10 @@ PHP_FUNCTION(imagecreatetruecolor)

 	im = gdImageCreateTrueColor(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size));

+	if (!im) {
+		RETURN_FALSE;
+	}
+
 	ZEND_REGISTER_RESOURCE(return_value, im, le_gd);
 }
 /* }}} */
@ -2350,6 +2354,10 @@ PHP_FUNCTION(imagecreate)

 	im = gdImageCreate(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size));

+	if (!im) {
+		RETURN_FALSE;
+	}
+
 	ZEND_REGISTER_RESOURCE(return_value, im, le_gd);
 }
 /* }}} */
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@ -120,6 +120,15 @@ gdImagePtr gdImageCreate (int sx, int sy)
 {
 	int i;
 	gdImagePtr im;
+
+	if (overflow2(sx, sy)) {
+		return NULL;
+	}
+
+	if (overflow2(sizeof(unsigned char *), sy)) {
+		return NULL;
+	}
+
 	im = (gdImage *) gdMalloc(sizeof(gdImage));
 	memset(im, 0, sizeof(gdImage));
 	/* Row-major ever since gd 1.3 */
@ -162,6 +171,19 @@ gdImagePtr gdImageCreateTrueColor (int sx, int sy)
 {
 	int i;
 	gdImagePtr im;
+
+	if (overflow2(sx, sy)) {
+		return NULL;
+	}
+
+	if (overflow2(sizeof(unsigned char *), sy)) {
+		return NULL;
+	}
+	
+	if (overflow2(sizeof(int), sx)) {
+		return NULL;
+	}
+
 	im = (gdImage *) gdMalloc(sizeof(gdImage));
 	memset(im, 0, sizeof(gdImage));
 	im->tpixels = (int **) gdMalloc(sizeof(int *) * sy);
@ -2404,6 +2426,14 @@ void gdImageCopyResized (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int
 	int *stx, *sty;
 	/* We only need to use floating point to determine the correct stretch vector for one line's worth. */
 	double accum;
+	
+	if (overflow2(sizeof(int), srcW)) {
+		return;
+	}
+	if (overflow2(sizeof(int), srcH)) {
+		return;
+	}
+
 	stx = (int *) gdMalloc (sizeof (int) * srcW);
 	sty = (int *) gdMalloc (sizeof (int) * srcH);
 	accum = 0;
@ -3195,6 +3225,10 @@ void gdImageFilledPolygon (gdImagePtr im, gdPointPtr p, int n, int c)
 		return;
 	}

+	if (overflow2(sizeof(int), n)) {
+		return;
+	}
+
 	if (c == gdAntiAliased) {
 		fill_color = im->AA_color;
 	} else {
@ -3209,6 +3243,9 @@ void gdImageFilledPolygon (gdImagePtr im, gdPointPtr p, int n, int c)
 		while (im->polyAllocated < n) {
 			im->polyAllocated *= 2;
 		}
+		if (overflow2(sizeof(int), im->polyAllocated)) {
+			return;
+		}
 		im->polyInts = (int *) gdRealloc(im->polyInts, sizeof(int) * im->polyAllocated);
 	}
 	miny = p[0].y;