Skip to content
Permalink
Browse files

iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() r…

…esulting in heap overflow
  • Loading branch information...
smalyshev committed Jun 21, 2016
1 parent b028cac commit c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6
Showing with 6 additions and 0 deletions.
  1. +2 −0 NEWS
  2. +4 −0 ext/gd/libgd/gd.c
2 NEWS
@@ -18,6 +18,8 @@ PHP NEWS
. Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in
heap overflow). (Pierre)
. Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert). (Stas)
. Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting
in heap overflow). (Pierre)

- mbstring:
. Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (Stas)
@@ -133,6 +133,10 @@ gdImagePtr gdImageCreate (int sx, int sy)
return NULL;
}

if (overflow2(sizeof(unsigned char *), sx)) {
return NULL;
}

im = (gdImage *) gdCalloc(1, sizeof(gdImage));

/* Row-major ever since gd 1.3 */

0 comments on commit c395c6e

Please sign in to comment.
You can’t perform that action at this time.