--- php-5.1.6/ext/gd/libgd/wbmp.c.cve1001
+++ php-5.1.6/ext/gd/libgd/wbmp.c
@@ -102,6 +102,8 @@
return (0);
}
+#define SAFE_MULTIPLE(x,y) (x == 0 || y == 0 || (x > 0 && y > 0 && (x < INT_MAX / y)))
+
/* create wbmp
** -----------
** create an empty wbmp
@@ -116,6 +118,12 @@
if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL)
return (NULL);
+ if (!SAFE_MULTIPLE(width, height)) {
+ php_gd_error("createwbmp: Integer overflow from WBMP image height/width (%d x %d)\n", width, height);
+ gdFree(wbmp);
+ return NULL;
+ }
+
if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), width * height, 0)) == NULL)
{
gdFree (wbmp);
@@ -176,6 +184,13 @@
printf ("W: %d, H: %d\n", wbmp->width, wbmp->height);
#endif
+ if (!SAFE_MULTIPLE(wbmp->width, wbmp->height)) {
+ php_gd_error("readwbmp: Integer overflow from WBMP image height/width (%d x %d)\n",
+ wbmp->width, wbmp->height);
+ gdFree(wbmp);
+ return (-1);
+ }
+
if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL)
{
gdFree (wbmp);
distrib
>
Mandriva
>
2007.1
>
x86_64
>
media
>
main-updates-src
>
by-pkgid
>
5f84d7198ad7e76815a0aab8da1d5b40
>
files
>
28
