File php-CVE-2016-7568.patch of Package php5.11538

Index: php-5.6.1/ext/gd/libgd/gd_webp.c
===================================================================
--- php-5.6.1.orig/ext/gd/libgd/gd_webp.c	2016-10-14 09:04:49.627007804 +0200
+++ php-5.6.1/ext/gd/libgd/gd_webp.c	2016-10-14 09:09:48.151627161 +0200
@@ -2,6 +2,7 @@
 #include <math.h>
 #include <string.h>
 #include <stdlib.h>
+#include <limits.h>
 #include "gd.h"
 
 
@@ -159,6 +160,19 @@ int mapQualityToVP8QP(int quality) {
 	return (int)(vp8qp + 0.5);
 }
 
+int overflow_add(int a, int b)
+{
+       if( a > INT_MAX - b)
+               return 1;
+       return 0;
+}
+
+int overflow3(int a, int b, int c)
+{
+       return (overflow2(a,b) + overflow2(a*b, c));
+}
+
+
 /* This routine is based in part on code from Dale Lutz (Safe Software Inc.)
  *  and in part on demo code from Chapter 15 of "PNG: The Definitive Guide"
  *  (http://www.cdrom.com/pub/png/pngbook.html).
@@ -182,6 +196,19 @@ void gdImageWebpCtx (gdImagePtr im, gdIO
     yuv_height = (height + 1) >> 1;
     yuv_nbytes = width * height + 2 * yuv_width * yuv_height;
 
+    if (overflow2(width, height)) {
+      return;
+    }
+
+    if (overflow3(2, yuv_width, yuv_height)) {
+      return;
+    }
+
+    if (overflow_add(width * height, 2 * yuv_width * yuv_height)) {
+      return;
+    }
+
+
     if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) {
     	php_gd_error("gd-webp error: cannot allocate Y buffer");
         return;