blob: 1990705b29ac50cd6ae237cf4a942c67710ef7a9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
Backported from 5.5.37 for 5.4 by Remi Collet
From c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 20 Jun 2016 23:58:26 -0700
Subject: [PATCH] iFixed bug #72446 - Integer Overflow in
gdImagePaletteToTrueColor() resulting in heap overflow
---
NEWS | 2 ++
ext/gd/libgd/gd.c | 22 +++++++++++++---------
2 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index 2c63aac..4dad95a 100644
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -133,6 +133,10 @@ gdImagePtr gdImageCreate (int sx, int sy)
return NULL;
}
+ if (overflow2(sizeof(unsigned char *), sx)) {
+ return NULL;
+ }
+
im = (gdImage *) gdCalloc(1, sizeof(gdImage));
/* Row-major ever since gd 1.3 */
|
