blob: 57b0bcb66c6b8f8196cad17aa7e9af98c70ab84f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Tue, 28 Jun 2016 16:23:42 +0700
Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
_gd2GetHeader() resulting in heap overflow
--- libgd2.orig/src/gd_gd2.c
+++ libgd2/src/gd_gd2.c
@@ -156,8 +156,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, i
nc = (*ncx) * (*ncy);
GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
sidx = sizeof (t_chunk_info) * nc;
+ if (overflow2(sidx, nc)) {
+ goto fail1;
+ }
cidx = gdCalloc (sidx, 1);
- if (!cidx) {
+ if (cidx == NULL) {
goto fail1;
}
for (i = 0; i < nc; i++) {
|
