22ead36c3c
CVE-2004-0941 CVE-2007-0455 CVE-2007-2756 CVE-2007-3472 CVE-2007-3473 CVE-2007-3477 CVE-2009-3546 CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696 Obtained from: CentOS libwmf RPM git Debian Bug 784205 Debian Bug 784192 Red Hat Bug 1227243 via Jason Unovitch in FreeBSD bug 201513 Reviewed by bsiegert@
33 lines
900 B
C
33 lines
900 B
C
$NetBSD: patch-src_extra_gd_gdhelpers.c,v 1.1 2015/07/17 12:33:47 sevan Exp $
|
|
|
|
CVE-2007-3472 - Integer overflow in gdImageCreateTrueColor function.
|
|
|
|
--- src/extra/gd/gdhelpers.c.orig 2015-07-16 23:34:21.000000000 +0000
|
|
+++ src/extra/gd/gdhelpers.c
|
|
@@ -2,6 +2,7 @@
|
|
#include "gdhelpers.h"
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
+#include <limits.h>
|
|
|
|
/* TBB: gd_strtok_r is not portable; provide an implementation */
|
|
|
|
@@ -94,3 +95,18 @@ gdFree (void *ptr)
|
|
{
|
|
free (ptr);
|
|
}
|
|
+
|
|
+int overflow2(int a, int b)
|
|
+{
|
|
+ if(a < 0 || b < 0) {
|
|
+ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
|
|
+ return 1;
|
|
+ }
|
|
+ if(b == 0)
|
|
+ return 0;
|
|
+ if(a > INT_MAX / b) {
|
|
+ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
|
|
+ return 1;
|
|
+ }
|
|
+ return 0;
|
|
+}
|