From 381702ffbfdae170ba3fff97d6cc1b9c69666854 Mon Sep 17 00:00:00 2001 From: Christopher Dykes Date: Fri, 3 Jun 2016 16:51:23 -0700 Subject: [PATCH] 0003_bug_71459_integer_overflow_in_iptcembed Summary: Don't overflow in iptcembed. Reviewed By: paulbiss Differential Revision: D3209224 fbshipit-source-id: feaca9fd861d28a3d542a17512ffd5e340f99608 --- hphp/runtime/ext/gd/ext_gd.cpp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hphp/runtime/ext/gd/ext_gd.cpp b/hphp/runtime/ext/gd/ext_gd.cpp index 080188ca43d18..51f56bec6d247 100644 --- a/hphp/runtime/ext/gd/ext_gd.cpp +++ b/hphp/runtime/ext/gd/ext_gd.cpp @@ -4582,6 +4582,11 @@ Variant HHVM_FUNCTION(iptcembed, const String& iptcdata, return false; } + if (iptcdata_len >= (INT64_MAX - sizeof(psheader) - st_size - 1024 - 1)) { + raise_warning("iptcdata too long"); + return false; + } + auto malloc_size = iptcdata_len + sizeof(psheader) + st_size + 1024 + 1; poi = spoolbuf = (unsigned char *)IM_MALLOC(malloc_size); CHECK_ALLOC_R(poi, malloc_size, false);