--- php-5.1.6/ext/gd/libgd/wbmp.c.cve1001 +++ php-5.1.6/ext/gd/libgd/wbmp.c @@ -102,6 +102,8 @@ return (0); } +#define SAFE_MULTIPLE(x,y) (x == 0 || y == 0 || (x > 0 && y > 0 && (x < INT_MAX / y))) + /* create wbmp ** ----------- ** create an empty wbmp @@ -116,6 +118,12 @@ if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL) return (NULL); + if (!SAFE_MULTIPLE(width, height)) { + php_gd_error("createwbmp: Integer overflow from WBMP image height/width (%d x %d)\n", width, height); + gdFree(wbmp); + return NULL; + } + if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), width * height, 0)) == NULL) { gdFree (wbmp); @@ -176,6 +184,13 @@ printf ("W: %d, H: %d\n", wbmp->width, wbmp->height); #endif + if (!SAFE_MULTIPLE(wbmp->width, wbmp->height)) { + php_gd_error("readwbmp: Integer overflow from WBMP image height/width (%d x %d)\n", + wbmp->width, wbmp->height); + gdFree(wbmp); + return (-1); + } + if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL) { gdFree (wbmp);