0003_bug_71459_integer_overflow_in_iptcembed

Summary: Don't overflow in iptcembed. Reviewed By: paulbiss Differential Revision: D3209224 fbshipit-source-id: feaca9fd861d28a3d542a17512ffd5e340f99608
facebook · Jun 4, 2016 · 381702f · 381702f
1 parent 4e614ba
commit 381702f
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/hphp/runtime/ext/gd/ext_gd.cpp b/hphp/runtime/ext/gd/ext_gd.cpp
@@ -4582,6 +4582,11 @@ Variant HHVM_FUNCTION(iptcembed, const String& iptcdata,
       return false;
     }
 
+    if (iptcdata_len >= (INT64_MAX - sizeof(psheader) - st_size - 1024 - 1)) {
+      raise_warning("iptcdata too long");
+      return false;
+    }
+
     auto malloc_size = iptcdata_len + sizeof(psheader) + st_size + 1024 + 1;
     poi = spoolbuf = (unsigned char *)IM_MALLOC(malloc_size);
     CHECK_ALLOC_R(poi, malloc_size, false);