iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() r…

…esulting in heap overflow
php · Jun 21, 2016 · c395c6e · c395c6e
1 parent b028cac
commit c395c6e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/NEWS b/NEWS
@@ -18,6 +18,8 @@ PHP                                                                        NEWS
   . Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in 
     heap overflow). (Pierre)
   . Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert). (Stas)
+  . Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting
+    in heap overflow). (Pierre)
 
 - mbstring:
    . Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (Stas)

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
@@ -133,6 +133,10 @@ gdImagePtr gdImageCreate (int sx, int sy)
 		return NULL;
 	}
 
+	if (overflow2(sizeof(unsigned char *), sx)) {
+		return NULL;
+	}
+
 	im = (gdImage *) gdCalloc(1, sizeof(gdImage));
 
 	/* Row-major ever since gd 1.3 */