diff options
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/gd/libgd/gd_webp.c | 8 |
2 files changed, 10 insertions, 0 deletions
@@ -22,6 +22,8 @@ PHP NEWS (cmb) . Fixed bug #50194 (imagettftext broken on transparent background w/o alphablending). (cmb) + . Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c). (trylab, + cmb) - Mbstring: . Fixed bug #66797 (mb_substr only takes 32-bit signed integer). (cmb) diff --git a/ext/gd/libgd/gd_webp.c b/ext/gd/libgd/gd_webp.c index da0cc9d5b8..0ce27e03b4 100644 --- a/ext/gd/libgd/gd_webp.c +++ b/ext/gd/libgd/gd_webp.c @@ -120,6 +120,14 @@ void gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quantization) quantization = 80; } + if (overflow2(gdImageSX(im), 4)) { + return; + } + + if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) { + return; + } + argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im)); if (!argb) { return; |