Skip to content
Permalink
Browse files

Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in heap ov…

…erflow
  • Loading branch information...
pierrejoye authored and weltling committed Jun 18, 2016
1 parent 7245bff commit 7722455726bec8c53458a32851d2a87982cf0eac
Showing with 18 additions and 0 deletions.
  1. +7 −0 ext/gd/libgd/gd_gd2.c
  2. BIN ext/gd/tests/bug72339.gd
  3. +11 −0 ext/gd/tests/bug72339.phpt
@@ -138,11 +138,18 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
if (gd2_compressed(*fmt)) {
nc = (*ncx) * (*ncy);
GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
if (overflow2(sidx, nc)) {
goto fail1;
}
sidx = sizeof(t_chunk_info) * nc;
if (sidx <= 0) {
goto fail1;
}
cidx = gdCalloc(sidx, 1);
if (cidx == NULL) {
goto fail1;
}

for (i = 0; i < nc; i++) {
if (gdGetInt(&cidx[i].offset, in) != 1) {
gdFree(cidx);
Binary file not shown.
@@ -0,0 +1,11 @@
--TEST--
Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
--SKIPIF--
<?php if (!function_exists("imagecreatefromgd2")) print "skip"; ?>
--FILE--
<?php imagecreatefromgd2(dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"); ?>
--EXPECTF--
Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
in %sbug72339.php on line %d

Warning: imagecreatefromgd2(): '%sbug72339.gd' is not a valid GD2 file in %sbug72339.php on line %d

0 comments on commit 7722455

Please sign in to comment.
You can’t perform that action at this time.