Skip to content

Commit 7722455

Browse files
pierrejoyeweltling
authored andcommitted
Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
1 parent 7245bff commit 7722455

File tree

3 files changed

+18
-0
lines changed

3 files changed

+18
-0
lines changed

Diff for: ext/gd/libgd/gd_gd2.c

+7
Original file line numberDiff line numberDiff line change
@@ -138,11 +138,18 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
138138
if (gd2_compressed(*fmt)) {
139139
nc = (*ncx) * (*ncy);
140140
GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
141+
if (overflow2(sidx, nc)) {
142+
goto fail1;
143+
}
141144
sidx = sizeof(t_chunk_info) * nc;
142145
if (sidx <= 0) {
143146
goto fail1;
144147
}
145148
cidx = gdCalloc(sidx, 1);
149+
if (cidx == NULL) {
150+
goto fail1;
151+
}
152+
146153
for (i = 0; i < nc; i++) {
147154
if (gdGetInt(&cidx[i].offset, in) != 1) {
148155
gdFree(cidx);

Diff for: ext/gd/tests/bug72339.gd

64 MB
Binary file not shown.

Diff for: ext/gd/tests/bug72339.phpt

+11
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
--TEST--
2+
Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
3+
--SKIPIF--
4+
<?php if (!function_exists("imagecreatefromgd2")) print "skip"; ?>
5+
--FILE--
6+
<?php imagecreatefromgd2(dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"); ?>
7+
--EXPECTF--
8+
Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
9+
in %sbug72339.php on line %d
10+
11+
Warning: imagecreatefromgd2(): '%sbug72339.gd' is not a valid GD2 file in %sbug72339.php on line %d

0 commit comments

Comments
 (0)