Merge branch 'PHP-5.6' into PHP-7.0

author: Christoph M. Becker <cmbecker69@gmx.de> 2016-09-16 11:40:36 +0200
committer: Christoph M. Becker <cmbecker69@gmx.de> 2016-09-16 11:41:42 +0200
commit: c18263e0e0769faee96a5d0ee04b750c442783c6 (patch)
tree: f49177ad80f5c74d156a75358a335dc415409623
parent: d2d77c028d78add62cde08cf294f9ffb62a5005b (diff)
parent: 46df0642618eabc5b5b7df490d1ae23bda00a745 (diff)
download: php-git-c18263e0e0769faee96a5d0ee04b750c442783c6.tar.gz
2 files changed, 10 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 76cad3ea1c..42d30ab8eb 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,8 @@ PHP                                                                        NEWS
     (cmb)
   . Fixed bug #50194 (imagettftext broken on transparent background w/o
     alphablending). (cmb)
+  . Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c). (trylab,
+    cmb)
 
 - Mbstring:
   . Fixed bug #66797 (mb_substr only takes 32-bit signed integer). (cmb)
diff --git a/ext/gd/libgd/gd_webp.c b/ext/gd/libgd/gd_webp.c
index da0cc9d5b8..0ce27e03b4 100644
--- a/ext/gd/libgd/gd_webp.c
+++ b/ext/gd/libgd/gd_webp.c
@@ -120,6 +120,14 @@ void gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quantization)
 		quantization = 80;
 	}
 
+	if (overflow2(gdImageSX(im), 4)) {
+		return;
+	}
+
+	if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) {
+		return;
+	}
+
 	argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im));
 	if (!argb) {
 		return;
author	Christoph M. Becker <cmbecker69@gmx.de>	2016-09-16 11:40:36 +0200
committer	Christoph M. Becker <cmbecker69@gmx.de>	2016-09-16 11:41:42 +0200
commit	c18263e0e0769faee96a5d0ee04b750c442783c6 (patch)
tree	f49177ad80f5c74d156a75358a335dc415409623
parent	d2d77c028d78add62cde08cf294f9ffb62a5005b (diff)
parent	46df0642618eabc5b5b7df490d1ae23bda00a745 (diff)
download	php-git-c18263e0e0769faee96a5d0ee04b750c442783c6.tar.gz