fix possible OOB or OOM in gdImageScale, reported by Secunia (CVE 2016-6207)

3 files changed, 34 insertions, 1 deletions

diff --git a/tests/gdimagescale/CMakeLists.txt b/tests/gdimagescale/CMakeLists.txt
index 4e1a4fb..f5ebf2e 100644
--- a/tests/gdimagescale/CMakeLists.txt
+++ b/tests/gdimagescale/CMakeLists.txt
@@ -1,5 +1,6 @@
 LIST(APPEND TESTS_FILES
 	github_bug_00218
+	bug_overflow_large_new_size
 )
 
 ADD_GD_TESTS()
diff --git a/tests/gdimagescale/Makemodule.am b/tests/gdimagescale/Makemodule.am
index dacabe7..23b8924 100644
--- a/tests/gdimagescale/Makemodule.am
+++ b/tests/gdimagescale/Makemodule.am
@@ -1,6 +1,7 @@
 
 libgd_test_programs += \
-	gdimagescale/github_bug_00218
+	gdimagescale/github_bug_00218 \
+	gdimagescale/bug_overflow_large_new_size
 
 EXTRA_DIST += \
 	gdimagescale/CMakeLists.txt
diff --git a/tests/gdimagescale/bug_overflow_large_new_size.c b/tests/gdimagescale/bug_overflow_large_new_size.c
new file mode 100644
index 0000000..0a8503b
--- /dev/null
+++ b/tests/gdimagescale/bug_overflow_large_new_size.c
@@ -0,0 +1,31 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include "gd.h"
+#include <math.h>
+
+#include "gdtest.h"
+
+int main()
+{
+	gdImagePtr im, im2;
+
+	im = gdImageCreate(1,1);
+	if (im == NULL) {
+		printf("gdImageCreate failed\n");
+		return 1;
+	}
+	gdImageSetInterpolationMethod(im, GD_BELL);
+	
+	/* here the call may pass if the system has enough memory (physical or swap)
+	   or fails (overflow check or alloc fails.
+	   in both cases the tests pass */
+	im2 = gdImageScale(im,0x15555556, 1);
+	if (im2 == NULL) {
+		printf("gdImageScale failed, expected (out of memory or overflow validation\n");
+		return 0;
+	}
+	gdImageDestroy(im);
+	gdImageDestroy(im2);
+
+	return 0;
+}