diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2016-09-16 11:31:21 +0200 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2016-09-16 11:37:18 +0200 |
| commit | 46df0642618eabc5b5b7df490d1ae23bda00a745 (patch) | |
| tree | b8ae3008c4657ea0f9b9d5fe47f5939513bee44c | |
| parent | 3c117d4136d26c8d6e4127c89b2160c477f45e11 (diff) | |
| download | php-git-46df0642618eabc5b5b7df490d1ae23bda00a745.tar.gz | |
Fix #73003: Integer Overflow in gdImageWebpCtx of gd_webp.c
We add the missing integer overflow check to avoid potential buffer overflows.
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/gd/libgd/gd_webp.c | 9 |
2 files changed, 11 insertions, 0 deletions
@@ -22,6 +22,8 @@ PHP NEWS (cmb) . Fixed bug #50194 (imagettftext broken on transparent background w/o alphablending). (cmb) + . Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c). (trylab, + cmb) - Mbstring: . Fixed bug #72994 (mbc_to_code() out of bounds read). (Laruence, cmb) diff --git a/ext/gd/libgd/gd_webp.c b/ext/gd/libgd/gd_webp.c index bf9ac9dd0e..985187edc2 100644 --- a/ext/gd/libgd/gd_webp.c +++ b/ext/gd/libgd/gd_webp.c @@ -180,6 +180,15 @@ void gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quantization) /* Conversion to Y,U,V buffer */ yuv_width = (width + 1) >> 1; yuv_height = (height + 1) >> 1; + + if (overflow2(width, height)) { + return; + } + /* simplification possible, because WebP must not be larger than 16384**2 */ + if (overflow2(width * height, 2 * sizeof(unsigned char))) { + return; + } + yuv_nbytes = width * height + 2 * yuv_width * yuv_height; if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) { |