File php-CVE-2016-7568.patch of Package php5.openSUSE_Leap_42.1_Update
Index: php-5.6.1/ext/gd/libgd/gd_webp.c
===================================================================
--- php-5.6.1.orig/ext/gd/libgd/gd_webp.c 2016-10-14 09:04:49.627007804 +0200
+++ php-5.6.1/ext/gd/libgd/gd_webp.c 2016-10-14 09:09:48.151627161 +0200
@@ -2,6 +2,7 @@
#include <math.h>
#include <string.h>
#include <stdlib.h>
+#include <limits.h>
#include "gd.h"
@@ -159,6 +160,19 @@ int mapQualityToVP8QP(int quality) {
return (int)(vp8qp + 0.5);
}
+int overflow_add(int a, int b)
+{
+ if( a > INT_MAX - b)
+ return 1;
+ return 0;
+}
+
+int overflow3(int a, int b, int c)
+{
+ return (overflow2(a,b) + overflow2(a*b, c));
+}
+
+
/* This routine is based in part on code from Dale Lutz (Safe Software Inc.)
* and in part on demo code from Chapter 15 of "PNG: The Definitive Guide"
* (http://www.cdrom.com/pub/png/pngbook.html).
@@ -182,6 +196,19 @@ void gdImageWebpCtx (gdImagePtr im, gdIO
yuv_height = (height + 1) >> 1;
yuv_nbytes = width * height + 2 * yuv_width * yuv_height;
+ if (overflow2(width, height)) {
+ return;
+ }
+
+ if (overflow3(2, yuv_width, yuv_height)) {
+ return;
+ }
+
+ if (overflow_add(width * height, 2 * yuv_width * yuv_height)) {
+ return;
+ }
+
+
if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) {
php_gd_error("gd-webp error: cannot allocate Y buffer");
return;