File php-CVE-2016-6207.patch of Package php5.3636
Index: php-7.0.7/ext/gd/libgd/gd.c
===================================================================
--- php-7.0.7.orig/ext/gd/libgd/gd.c 2016-05-25 15:13:44.000000000 +0200
+++ php-7.0.7/ext/gd/libgd/gd.c 2016-08-04 09:00:31.981679962 +0200
@@ -184,7 +184,7 @@ gdImagePtr gdImageCreateTrueColor (int s
return NULL;
}
- if (overflow2(sizeof(int), sx)) {
+ if (overflow2(sizeof(int *), sx)) {
return NULL;
}
Index: php-7.0.7/ext/gd/libgd/gd_interpolation.c
===================================================================
--- php-7.0.7.orig/ext/gd/libgd/gd_interpolation.c 2016-05-25 15:13:44.000000000 +0200
+++ php-7.0.7/ext/gd/libgd/gd_interpolation.c 2016-08-04 09:13:55.762834973 +0200
@@ -880,6 +880,7 @@ static inline LineContribType * _gdContr
{
unsigned int u = 0;
LineContribType *res;
+ int overflow_error = 0;
res = (LineContribType *) gdMalloc(sizeof(LineContribType));
if (!res) {
@@ -887,10 +888,30 @@ static inline LineContribType * _gdContr
}
res->WindowSize = windows_size;
res->LineLength = line_length;
+ if (overflow2(line_length, sizeof(ContributionType))) {
+ return NULL;
+ }
res->ContribRow = (ContributionType *) gdMalloc(line_length * sizeof(ContributionType));
-
+ if (res->ContribRow == NULL) {
+ gdFree(res);
+ return NULL;
+ }
for (u = 0 ; u < line_length ; u++) {
- res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
+ if (overflow2(windows_size, sizeof(double))) {
+ overflow_error = 1;
+ } else {
+ res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
+ }
+ if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) {
+ unsigned int i;
+ u--;
+ for (i=0;i<=u;i++) {
+ gdFree(res->ContribRow[i].Weights);
+ }
+ gdFree(res->ContribRow);
+ gdFree(res);
+ return NULL;
+ }
}
return res;
}
