mirror of
https://github.com/php/php-src.git
synced 2024-09-22 02:17:32 +00:00
Fix #77269: Potential unsigned underflow in gdImageScale
Belatedly, we're porting the respective upstream patch[1].
[1] <60bfb401ad
>
This commit is contained in:
parent
78bd347774
commit
dfd8237aec
@ -890,8 +890,13 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
|
||||
{
|
||||
unsigned int u = 0;
|
||||
LineContribType *res;
|
||||
int overflow_error = 0;
|
||||
size_t weights_size;
|
||||
|
||||
if (overflow2(windows_size, sizeof(double))) {
|
||||
return NULL;
|
||||
} else {
|
||||
weights_size = windows_size * sizeof(double);
|
||||
}
|
||||
res = (LineContribType *) gdMalloc(sizeof(LineContribType));
|
||||
if (!res) {
|
||||
return NULL;
|
||||
@ -908,15 +913,10 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
|
||||
return NULL;
|
||||
}
|
||||
for (u = 0 ; u < line_length ; u++) {
|
||||
if (overflow2(windows_size, sizeof(double))) {
|
||||
overflow_error = 1;
|
||||
} else {
|
||||
res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
|
||||
}
|
||||
if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) {
|
||||
res->ContribRow[u].Weights = (double *) gdMalloc(weights_size);
|
||||
if (res->ContribRow[u].Weights == NULL) {
|
||||
unsigned int i;
|
||||
u--;
|
||||
for (i=0;i<=u;i++) {
|
||||
for (i=0;i<u;i++) {
|
||||
gdFree(res->ContribRow[i].Weights);
|
||||
}
|
||||
gdFree(res->ContribRow);
|
||||
|
21
ext/gd/tests/bug77269.phpt
Normal file
21
ext/gd/tests/bug77269.phpt
Normal file
@ -0,0 +1,21 @@
|
||||
--TEST--
|
||||
Bug #77269 (Potential unsigned underflow in gdImageScale)
|
||||
--SKIPIF--
|
||||
<?php
|
||||
if (!extension_loaded('gd')) die('skip gd extension not available');
|
||||
if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
|
||||
?>
|
||||
--INI--
|
||||
memory_limit=2G
|
||||
--FILE--
|
||||
<?php
|
||||
$im = imagecreate(2**28, 1);
|
||||
if(is_resource($im)) {
|
||||
imagescale($im, 1, 1, IMG_TRIANGLE);
|
||||
}
|
||||
?>
|
||||
===DONE===
|
||||
--EXPECTF--
|
||||
Warning: imagecreate():%S product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
|
||||
in %s on line %d
|
||||
===DONE===
|
Loading…
Reference in New Issue
Block a user