Additional safety checks.

# More to follow
author: Ilia Alshanetsky <iliaa@php.net> 2005-02-23 23:39:36 +0000
committer: Ilia Alshanetsky <iliaa@php.net> 2005-02-23 23:39:36 +0000
commit: fac3e54ad97158c1c9f3b76b58dc47a1774f7b07 (patch)
tree: 5b18a14e5f958c1ac59c54d2269a774a9a809b75
parent: b786b93b7a9aa8821de5fdea22526585f616eee8 (diff)
download: php-git-fac3e54ad97158c1c9f3b76b58dc47a1774f7b07.tar.gz
1 files changed, 8 insertions, 2 deletions
diff --git a/ext/standard/image.c b/ext/standard/image.c
index 2fd361474d..477d57c61d 100644
--- a/ext/standard/image.c
+++ b/ext/standard/image.c
@@ -636,6 +636,10 @@ static struct gfxinfo *php_handle_jpc(php_stream * stream TSRMLS_DC)
 	dummy_int = php_read4(stream TSRMLS_CC); /* YTOsiz */
 
 	result->channels = php_read2(stream TSRMLS_CC); /* Csiz */
+	if (result->channels < 0 || result->channels > 256) {
+		efree(result);
+		return NULL;
+	}
 
 	/* Collect bit depth info */
 	highest_bit_depth = bit_depth = 0;
@@ -683,7 +687,7 @@ static struct gfxinfo *php_handle_jp2(php_stream *stream TSRMLS_DC)
 			break;
 		}
 
-		if (box_length == 1) {
+		if (box_length <= 1) {
 			/* We won't handle XLBoxes */
 			return NULL;
 		}
@@ -698,7 +702,9 @@ static struct gfxinfo *php_handle_jp2(php_stream *stream TSRMLS_DC)
 		}
 
 		/* Skip over LBox (Which includes both TBox and LBox itself */
-		php_stream_seek(stream, box_length - 8, SEEK_CUR); 
+		if (php_stream_seek(stream, box_length - 8, SEEK_CUR)) {
+			break;
+		}
 	}
 
 	if (result == NULL) {
author	Ilia Alshanetsky <iliaa@php.net>	2005-02-23 23:39:36 +0000
committer	Ilia Alshanetsky <iliaa@php.net>	2005-02-23 23:39:36 +0000
commit	fac3e54ad97158c1c9f3b76b58dc47a1774f7b07 (patch)
tree	5b18a14e5f958c1ac59c54d2269a774a9a809b75
parent	b786b93b7a9aa8821de5fdea22526585f616eee8 (diff)
download	php-git-fac3e54ad97158c1c9f3b76b58dc47a1774f7b07.tar.gz