diff options
author | Mike Frysinger <vapier@gentoo.org> | 2005-12-21 01:55:23 +0000 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2005-12-21 01:55:23 +0000 |
commit | d9a1aa33f7dffd396f46b7886459fa056a051bfe (patch) | |
tree | a862e01cbaa7e2279c07551ca3a8c6081c67557d /media-libs/gd/files | |
parent | old (diff) | |
download | gentoo-2-d9a1aa33f7dffd396f46b7886459fa056a051bfe.tar.gz gentoo-2-d9a1aa33f7dffd396f46b7886459fa056a051bfe.tar.bz2 gentoo-2-d9a1aa33f7dffd396f46b7886459fa056a051bfe.zip |
Add some sanity checks to prevent overflows #112937.
(Portage version: 2.0.53)
Diffstat (limited to 'media-libs/gd/files')
-rw-r--r-- | media-libs/gd/files/digest-gd-2.0.33 | 1 | ||||
-rw-r--r-- | media-libs/gd/files/gd-2.0.33-overflow-checks.patch | 49 |
2 files changed, 50 insertions, 0 deletions
diff --git a/media-libs/gd/files/digest-gd-2.0.33 b/media-libs/gd/files/digest-gd-2.0.33 new file mode 100644 index 000000000000..0fae85af693b --- /dev/null +++ b/media-libs/gd/files/digest-gd-2.0.33 @@ -0,0 +1 @@ +MD5 be0a6d326cd8567e736fbc75df0a5c45 gd-2.0.33.tar.gz 587617 diff --git a/media-libs/gd/files/gd-2.0.33-overflow-checks.patch b/media-libs/gd/files/gd-2.0.33-overflow-checks.patch new file mode 100644 index 000000000000..6a028a13093d --- /dev/null +++ b/media-libs/gd/files/gd-2.0.33-overflow-checks.patch @@ -0,0 +1,49 @@ +add some sanity checks to prevent integer overflows when +allocating memory for big images + +http://bugs.gentoo.org/112937 + +--- gd/gd.c ++++ gd/gd.c +@@ -74,6 +74,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreate (i + im = (gdImage *) gdMalloc (sizeof (gdImage)); + memset (im, 0, sizeof (gdImage)); + /* Row-major ever since gd 1.3 */ ++ if (overflow2(sizeof (unsigned char *), sy)) { ++ gdFree(im); ++ return NULL; ++ } + im->pixels = (unsigned char **) gdMalloc (sizeof (unsigned char *) * sy); + im->polyInts = 0; + im->polyAllocated = 0; +@@ -114,6 +118,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateTru + gdImagePtr im; + im = (gdImage *) gdMalloc (sizeof (gdImage)); + memset (im, 0, sizeof (gdImage)); ++ if (overflow2(sizeof (int *), sy)) { ++ gdFree(im); ++ return NULL; ++ } + im->tpixels = (int **) gdMalloc (sizeof (int *) * sy); + im->polyInts = 0; + im->polyAllocated = 0; +@@ -2462,6 +2470,8 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro + } + bytes = (w * h / 8) + 1; + im = gdImageCreate (w, h); ++ if (!im) ++ return 0; + gdImageColorAllocate (im, 255, 255, 255); + gdImageColorAllocate (im, 0, 0, 0); + x = 0; +--- gd/gd_gd.c ++++ gd/gd_gd.c +@@ -149,6 +149,8 @@ _gdCreateFromFile (gdIOCtx * in, int *sx + { + im = gdImageCreate (*sx, *sy); + } ++ if (!im) ++ goto fail1; + if (!_gdGetColors (in, im, gd2xFlag)) + { + goto fail2; |