iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow

2025-08-16 05:58:45 +02:00 · 2016-06-20 23:58:26 -07:00 · 2016-06-20 23:58:26 -07:00 · c395c6e5d7
commit c395c6e5d7
parent b028cacf31
2 changed files with 15 additions and 9 deletions
--- a/2
+++ b/2
@ -18,6 +18,8 @@ PHP                                                                        NEWS
  . Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in 
    heap overflow). (Pierre)
  . Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert). (Stas)
+  . Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting
+    in heap overflow). (Pierre)

 - mbstring:
   . Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (Stas)
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@ -133,6 +133,10 @@ gdImagePtr gdImageCreate (int sx, int sy)
 		return NULL;
 	}

+	if (overflow2(sizeof(unsigned char *), sx)) {
+		return NULL;
+	}
+
 	im = (gdImage *) gdCalloc(1, sizeof(gdImage));

 	/* Row-major ever since gd 1.3 */
@ -1098,12 +1102,12 @@ void gdImageLine (gdImagePtr im, int x1, int y1, int x2, int y2, int color)
 	int thick = im->thick;

 	if (color == gdAntiAliased) {
-		/* 
+		/*
 		   gdAntiAliased passed as color: use the much faster, much cheaper
 		   and equally attractive gdImageAALine implementation. That
 		   clips too, so don't clip twice.
 		   */
-		gdImageAALine(im, x1, y1, x2, y2, im->AA_color); 
+		gdImageAALine(im, x1, y1, x2, y2, im->AA_color);
 		return;
 	}

@ -1880,7 +1884,7 @@ void gdImageFill(gdImagePtr im, int x, int y, int nc)
 		return;
 	}

-	alphablending_bak = im->alphaBlendingFlag;	
+	alphablending_bak = im->alphaBlendingFlag;
 	im->alphaBlendingFlag = 0;

 	if (nc==gdTiled){
@ -1892,7 +1896,7 @@ void gdImageFill(gdImagePtr im, int x, int y, int nc)
 	wx2=im->sx;wy2=im->sy;
 	oc = gdImageGetPixel(im, x, y);
 	if (oc==nc || x<0 || x>wx2 || y<0 || y>wy2) {
-		im->alphaBlendingFlag = alphablending_bak;	
+		im->alphaBlendingFlag = alphablending_bak;
 		return;
 	}

@ -1955,7 +1959,7 @@ skip:			for (x++; x<=x2 && (gdImageGetPixel(im, x, y)!=oc); x++);
 	efree(stack);

 done:
-	im->alphaBlendingFlag = alphablending_bak;	
+	im->alphaBlendingFlag = alphablending_bak;
 }

 static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
@ -2061,7 +2065,7 @@ void gdImageRectangle (gdImagePtr im, int x1, int y1, int x2, int y2, int color)

 		x1ul = x1 - half;
 		y1ul = y1 - half;
-		
+
 		x2lr = x2 + half;
 		y2lr = y2 + half;

@ -2259,7 +2263,7 @@ void gdImageCopyMerge (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int s
 	int tox, toy;
 	int ncR, ncG, ncB;
 	toy = dstY;
-	
+
 	for (y = srcY; y < (srcY + h); y++) {
 		tox = dstX;
 		for (x = srcX; x < (srcX + w); x++) {
@ -2356,7 +2360,7 @@ void gdImageCopyResized (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int
 	int colorMap[gdMaxColors];
 	/* Stretch vectors */
 	int *stx, *sty;
-	
+
 	if (overflow2(sizeof(int), srcW)) {
 		return;
 	}
@ -2901,7 +2905,7 @@ int gdAlphaBlend (int dst, int src) {
    src_weight = gdAlphaTransparent - src_alpha;
    dst_weight = (gdAlphaTransparent - dst_alpha) * src_alpha / gdAlphaMax;
    tot_weight = src_weight + dst_weight;
-    
+
 /* -------------------------------------------------------------------- */
 /*      What red, green and blue result values will we use?             */
 /* -------------------------------------------------------------------- */