CVE-2008-3658 http://cvs.php.net/viewvc.cgi/php-src/ext/gd/gd.c?r1=1.312.2.20.2.35&r2=1.312.2.20.2.36&view=patch --- old/ext/gd/gd.c 2008/05/04 21:19:17 1.312.2.20.2.35 +++ new/ext/gd/gd.c 2008/07/17 22:58:23 1.312.2.20.2.36 @@ -1636,6 +1636,22 @@ font->nchars = FLIPWORD(font->nchars); body_size = font->w * font->h * font->nchars; } + + if (overflow2(font->nchars, font->h)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header"); + efree(font); + php_stream_close(stream); + RETURN_FALSE; + } + if (overflow2(font->nchars * font->h, font->w )) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font, invalid font header"); + efree(font); + php_stream_close(stream); + RETURN_FALSE; + } + + + if (body_size != body_size_check) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error reading font");