diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-06-20 23:58:26 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-06-20 23:58:26 -0700 |
| commit | c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6 (patch) | |
| tree | 6be3343a872886d406dec0ff8eb477e2b2a48dcb | |
| parent | b028cacf3104461c1b7417b7ad952baa6edc4bd6 (diff) | |
| download | php-git-c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6.tar.gz | |
iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/gd/libgd/gd.c | 22 |
2 files changed, 15 insertions, 9 deletions
@@ -18,6 +18,8 @@ PHP NEWS . Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in heap overflow). (Pierre) . Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert). (Stas) + . Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting + in heap overflow). (Pierre) - mbstring: . Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (Stas) diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c index 2c63aac4cd..4dad95ae39 100644 --- a/ext/gd/libgd/gd.c +++ b/ext/gd/libgd/gd.c @@ -133,6 +133,10 @@ gdImagePtr gdImageCreate (int sx, int sy) return NULL; } + if (overflow2(sizeof(unsigned char *), sx)) { + return NULL; + } + im = (gdImage *) gdCalloc(1, sizeof(gdImage)); /* Row-major ever since gd 1.3 */ @@ -1098,12 +1102,12 @@ void gdImageLine (gdImagePtr im, int x1, int y1, int x2, int y2, int color) int thick = im->thick; if (color == gdAntiAliased) { - /* + /* gdAntiAliased passed as color: use the much faster, much cheaper and equally attractive gdImageAALine implementation. That clips too, so don't clip twice. */ - gdImageAALine(im, x1, y1, x2, y2, im->AA_color); + gdImageAALine(im, x1, y1, x2, y2, im->AA_color); return; } @@ -1880,7 +1884,7 @@ void gdImageFill(gdImagePtr im, int x, int y, int nc) return; } - alphablending_bak = im->alphaBlendingFlag; + alphablending_bak = im->alphaBlendingFlag; im->alphaBlendingFlag = 0; if (nc==gdTiled){ @@ -1892,7 +1896,7 @@ void gdImageFill(gdImagePtr im, int x, int y, int nc) wx2=im->sx;wy2=im->sy; oc = gdImageGetPixel(im, x, y); if (oc==nc || x<0 || x>wx2 || y<0 || y>wy2) { - im->alphaBlendingFlag = alphablending_bak; + im->alphaBlendingFlag = alphablending_bak; return; } @@ -1955,7 +1959,7 @@ skip: for (x++; x<=x2 && (gdImageGetPixel(im, x, y)!=oc); x++); efree(stack); done: - im->alphaBlendingFlag = alphablending_bak; + im->alphaBlendingFlag = alphablending_bak; } static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc) @@ -2061,7 +2065,7 @@ void gdImageRectangle (gdImagePtr im, int x1, int y1, int x2, int y2, int color) x1ul = x1 - half; y1ul = y1 - half; - + x2lr = x2 + half; y2lr = y2 + half; @@ -2259,7 +2263,7 @@ void gdImageCopyMerge (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int s int tox, toy; int ncR, ncG, ncB; toy = dstY; - + for (y = srcY; y < (srcY + h); y++) { tox = dstX; for (x = srcX; x < (srcX + w); x++) { @@ -2356,7 +2360,7 @@ void gdImageCopyResized (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int int colorMap[gdMaxColors]; /* Stretch vectors */ int *stx, *sty; - + if (overflow2(sizeof(int), srcW)) { return; } @@ -2901,7 +2905,7 @@ int gdAlphaBlend (int dst, int src) { src_weight = gdAlphaTransparent - src_alpha; dst_weight = (gdAlphaTransparent - dst_alpha) * src_alpha / gdAlphaMax; tot_weight = src_weight + dst_weight; - + /* -------------------------------------------------------------------- */ /* What red, green and blue result values will we use? */ /* -------------------------------------------------------------------- */ |