File gd-CVE-2016-6207.patch of Package gd.2670

Index: libgd-2.1.0/src/gd.c
===================================================================
--- libgd-2.1.0.orig/src/gd.c	2013-06-25 11:58:23.000000000 +0200
+++ libgd-2.1.0/src/gd.c	2016-08-08 15:04:29.487691217 +0200
@@ -207,7 +207,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateTru
 		return 0;
 	}
 
-	if (overflow2(sizeof(int), sx)) {
+	if (overflow2(sizeof(int *), sx)) {
 		return NULL;
 	}
 
Index: libgd-2.1.0/src/gd_interpolation.c
===================================================================
--- libgd-2.1.0.orig/src/gd_interpolation.c	2013-06-25 11:58:23.000000000 +0200
+++ libgd-2.1.0/src/gd_interpolation.c	2016-08-08 15:05:50.725062244 +0200
@@ -901,6 +901,7 @@ static inline LineContribType * _gdContr
 {
 	unsigned int u = 0;
 	LineContribType *res;
+	int overflow_error = 0;
 
 	res = (LineContribType *) gdMalloc(sizeof(LineContribType));
 	if (!res) {
@@ -908,10 +909,31 @@ static inline LineContribType * _gdContr
 	}
 	res->WindowSize = windows_size;
 	res->LineLength = line_length;
+	if (overflow2(line_length, sizeof(ContributionType))) {
+		gdFree(res);
+		return NULL;
+	}
 	res->ContribRow = (ContributionType *) gdMalloc(line_length * sizeof(ContributionType));
-
+	if (res->ContribRow == NULL) {
+		gdFree(res);
+		return NULL;
+	}
 	for (u = 0 ; u < line_length ; u++) {
-		res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
+		if (overflow2(windows_size, sizeof(double))) {
+			overflow_error = 1;
+		} else {
+			res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
+		}
+		if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) {
+			unsigned int i;
+			u--;
+			for (i=0;i<=u;i++) {
+				gdFree(res->ContribRow[i].Weights);
+			}
+			gdFree(res->ContribRow);
+			gdFree(res);
+			return NULL;
+		}
 	}
 	return res;
 }
@@ -944,7 +966,9 @@ static inline LineContribType *_gdContri
 
 	windows_size = 2 * (int)ceil(width_d) + 1;
 	res = _gdContributionsAlloc(line_size, windows_size);
-
+	if (res == NULL) {
+		return NULL;
+	}
 	for (u = 0; u < line_size; u++) {
 		const double dCenter = (double)u / scale_d;
 		/* get the significant edge points affecting the pixel */
openSUSE Build Service is sponsored by