Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:rkwasny
php
php-5.1.2-CVE-2007-1001.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File php-5.1.2-CVE-2007-1001.patch of Package php
--- ext/gd/config.m4 2006/12/26 10:42:50 1.154.2.1.2.1 +++ ext/gd/config.m4 2007/03/10 12:18:36 1.154.2.1.2.2 @@ -298,7 +298,7 @@ libgd/gdxpm.c libgd/gdfontt.c libgd/gdfonts.c libgd/gdfontmb.c libgd/gdfontl.c \ libgd/gdfontg.c libgd/gdtables.c libgd/gdft.c libgd/gdcache.c libgd/gdkanji.c \ libgd/wbmp.c libgd/gd_wbmp.c libgd/gdhelpers.c libgd/gd_topal.c libgd/gd_gif_in.c \ - libgd/xbm.c libgd/gd_gif_out.c " + libgd/xbm.c libgd/gd_gif_out.c libgd/gd_security.c" dnl check for fabsf and floorf which are available since C99 AC_CHECK_FUNCS(fabsf floorf) --- ext/gd/libgd/gd_security.c 2007/03/10 12:16:19 1.1.2.1 +++ ext/gd/libgd/gd_security.c 2007/03/10 12:18:36 1.1.2.2 @@ -0,0 +1,33 @@ +/* + * gd_security.c + * + * Implements buffer overflow check routines. + * + * Written 2004, Phil Knirsch. + * Based on netpbm fixes by Alan Cox. + * + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <limits.h> +#include "gd.h" + +int overflow2(int a, int b) +{ + if(a < 0 || b < 0) { + php_gd_error("gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n"); + return 1; + } + if(b == 0) + return 0; + if(a > INT_MAX / b) { + php_gd_error("gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n"); + return 1; + } + return 0; +} --- ext/gd/libgd/gdhelpers.h 2003/12/28 20:11:08 1.8 +++ ext/gd/libgd/gdhelpers.h 2007/03/10 12:18:36 1.8.6.1 @@ -21,6 +21,13 @@ #define gdPFree(ptr) pefree(ptr, 1) #define gdPEstrdup(ptr) pestrdup(ptr, 1) +/* Returns nonzero if multiplying the two quantities will + result in integer overflow. Also returns nonzero if + either quantity is negative. By Phil Knirsch based on + netpbm fixes by Alan Cox. */ + +int overflow2(int a, int b); + #ifdef ZTS #define gdMutexDeclare(x) MUTEX_T x #define gdMutexSetup(x) x = tsrm_mutex_alloc() --- ext/gd/libgd/wbmp.c 2003/12/31 01:01:44 1.5 +++ ext/gd/libgd/wbmp.c 2007/03/10 12:18:36 1.5.6.1 @@ -116,6 +116,15 @@ if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL) return (NULL); + if (overflow2(sizeof (int), width)) { + gdFree(wbmp); + return NULL; + } + if (overflow2(sizeof (int) * width, height)) { + gdFree(wbmp); + return NULL; + } + if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), width * height, 0)) == NULL) { gdFree (wbmp); @@ -176,7 +185,14 @@ printf ("W: %d, H: %d\n", wbmp->width, wbmp->height); #endif - if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL) + if (overflow2(sizeof (int), wbmp->width) || + overflow2(sizeof (int) * wbmp->width, wbmp->height)) + { + gdFree(wbmp); + return (-1); + } + + if ((wbmp->bitmap = (int *) safe_emalloc((size_t)wbmp->width * wbmp->height, sizeof(int), 0)) == NULL) { gdFree (wbmp); return (-1);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor