Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
php5.4366
php-CVE-2016-7568.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File php-CVE-2016-7568.patch of Package php5.4366
Index: php-5.6.1/ext/gd/libgd/gd_webp.c =================================================================== --- php-5.6.1.orig/ext/gd/libgd/gd_webp.c 2016-10-14 09:04:49.627007804 +0200 +++ php-5.6.1/ext/gd/libgd/gd_webp.c 2016-10-14 09:09:48.151627161 +0200 @@ -2,6 +2,7 @@ #include <math.h> #include <string.h> #include <stdlib.h> +#include <limits.h> #include "gd.h" @@ -159,6 +160,19 @@ int mapQualityToVP8QP(int quality) { return (int)(vp8qp + 0.5); } +int overflow_add(int a, int b) +{ + if( a > INT_MAX - b) + return 1; + return 0; +} + +int overflow3(int a, int b, int c) +{ + return (overflow2(a,b) + overflow2(a*b, c)); +} + + /* This routine is based in part on code from Dale Lutz (Safe Software Inc.) * and in part on demo code from Chapter 15 of "PNG: The Definitive Guide" * (http://www.cdrom.com/pub/png/pngbook.html). @@ -182,6 +196,19 @@ void gdImageWebpCtx (gdImagePtr im, gdIO yuv_height = (height + 1) >> 1; yuv_nbytes = width * height + 2 * yuv_width * yuv_height; + if (overflow2(width, height)) { + return; + } + + if (overflow3(2, yuv_width, yuv_height)) { + return; + } + + if (overflow_add(width * height, 2 * yuv_width * yuv_height)) { + return; + } + + if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) { php_gd_error("gd-webp error: cannot allocate Y buffer"); return;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor