diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2018-12-12 16:00:59 +0100 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2019-01-06 11:33:38 -0800 |
commit | a918020c03880e12ac9f38e11a4a3789491a5f85 (patch) | |
tree | 905acc72188f7aa4375b791a531ad6293e150541 | |
parent | 428d8164ffcf6f75a6cc9d4056e54bfd450dac03 (diff) | |
download | php-git-a918020c03880e12ac9f38e11a4a3789491a5f85.tar.gz |
Fix #77269: Potential unsigned underflow in gdImageScale
Belatedly, we're porting the respective upstream patch[1].
[1] <https://github.com/libgd/libgd/commit/60bfb401ad5a4a8ae995dcd36372fe15c71e1a35>
-rw-r--r-- | ext/gd/libgd/gd_interpolation.c | 18 | ||||
-rw-r--r-- | ext/gd/tests/bug77269.phpt | 21 |
2 files changed, 30 insertions, 9 deletions
diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index 1c151b5509..d456c0a596 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -880,8 +880,13 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length, { unsigned int u = 0; LineContribType *res; - int overflow_error = 0; + size_t weights_size; + if (overflow2(windows_size, sizeof(double))) { + return NULL; + } else { + weights_size = windows_size * sizeof(double); + } res = (LineContribType *) gdMalloc(sizeof(LineContribType)); if (!res) { return NULL; @@ -898,15 +903,10 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length, return NULL; } for (u = 0 ; u < line_length ; u++) { - if (overflow2(windows_size, sizeof(double))) { - overflow_error = 1; - } else { - res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double)); - } - if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) { + res->ContribRow[u].Weights = (double *) gdMalloc(weights_size); + if (res->ContribRow[u].Weights == NULL) { unsigned int i; - u--; - for (i=0;i<=u;i++) { + for (i=0;i<u;i++) { gdFree(res->ContribRow[i].Weights); } gdFree(res->ContribRow); diff --git a/ext/gd/tests/bug77269.phpt b/ext/gd/tests/bug77269.phpt new file mode 100644 index 0000000000..3bdc23e80a --- /dev/null +++ b/ext/gd/tests/bug77269.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug #77269 (Potential unsigned underflow in gdImageScale) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +if (getenv("SKIP_SLOW_TESTS")) die("skip slow test"); +?> +--INI-- +memory_limit=2G +--FILE-- +<?php +$im = imagecreate(2**28, 1); +if(is_resource($im)) { + imagescale($im, 1, 1, IMG_TRIANGLE); +} +?> +===DONE=== +--EXPECTF-- +Warning: imagecreate():%S product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully + in %s on line %d +===DONE=== |