LMPX.COM |
Home | Linux | Mysql | PHP | XML | ||
|
|
|||
From: Takeshi Abe Date: Tue Jul 29 19:53:13 2008 Subject: cvs: gd /libgd/src gd_nnquant.c gd_tga.c
tabe Wed Jul 30 01:53:13 2008 UTC
Modified files:
/gd/libgd/src gd_nnquant.c gd_tga.c
Log:
check integer overflows.
http://cvs.php.net/viewvc.cgi/gd/libgd/src/gd_nnquant.c?r1=1.3&r2=1.4&diff_format=u
Index: gd/libgd/src/gd_nnquant.c
diff -u gd/libgd/src/gd_nnquant.c:1.3 gd/libgd/src/gd_nnquant.c:1.4
--- gd/libgd/src/gd_nnquant.c:1.3 Tue Jan 1 18:55:20 2008
+++ gd/libgd/src/gd_nnquant.c Wed Jul 30 01:53:13 2008
@@ -496,6 +496,10 @@
* It alos lets us convert palette image, if one likes to reduce
* a palette
*/
+ if (overflow2(gdImageSX(im), gdImageSY(im))
+ || overflow2(gdImageSX(im) * gdImageSY(im), 4)) {
+ goto done;
+ }
rgba = (unsigned char *) gdMalloc(gdImageSX(im) * gdImageSY(im) * 4);
if (!rgba) {
goto done;
http://cvs.php.net/viewvc.cgi/gd/libgd/src/gd_tga.c?r1=1.11&r2=1.12&diff_format=u
Index: gd/libgd/src/gd_tga.c
diff -u gd/libgd/src/gd_tga.c:1.11 gd/libgd/src/gd_tga.c:1.12
--- gd/libgd/src/gd_tga.c:1.11 Wed Feb 27 23:24:59 2008
+++ gd/libgd/src/gd_tga.c Wed Jul 30 01:53:13 2008
@@ -202,6 +202,10 @@
return -1;
}
+ if(overflow2(image_block_size, sizeof(byte))) {
+ return -1;
+ }
+
/*! \brief Allocate memmory for image block
* Allocate a chunk of memory for the image block to be passed into.
*/
| Navigate in group php.gd.cvs at sever news.php.net | |
| Previous | Next |
| © No Copyright You are free to use Anything |
Site Maintained by PHP Developer
Powered By PHP Consultants |