Patch 72339.txt for GD related Bug #72339
Patch version 2016-06-06 06:49 UTC
Return to Bug #72339 |
Download this patch
Patch Revisions:
Developer: pajoye@php.net
diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index 6726fee..63e3aef 100644
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -138,11 +138,18 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
if (gd2_compressed(*fmt)) {
nc = (*ncx) * (*ncy);
GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
+ if (overflow2(sidx, nc)) {
+ goto fail1;
+ }
sidx = sizeof(t_chunk_info) * nc;
if (sidx <= 0) {
goto fail1;
}
cidx = gdCalloc(sidx, 1);
+ if (cidx == NULL) {
+ goto fail1;
+ }
+
for (i = 0; i < nc; i++) {
if (gdGetInt(&cidx[i].offset, in) != 1) {
gdFree(cidx);
|
Copyright © 2001-2024 The PHP Group