View | Details | Raw Unified | Return to bug 213020
Collapse All | Expand All

(-)graphics/gd/Makefile (working copy) (-1 / +1 lines)
Lines 3-9 Link Here
3 

          3
          

        

        

          4
          
PORTNAME=      libgd

          4
          
PORTNAME=      libgd

        

        

          5
          
PORTVERSION=   2.2.3

          5
          
PORTVERSION=   2.2.3

        

          
            

              6
              
PORTREVISION?= 0


              6
              
PORTREVISION?= 1

            

        

          7
          
PORTEPOCH=     1

          7
          
PORTEPOCH=     1

        

        

          8
          
CATEGORIES+=   graphics

          8
          
CATEGORIES+=   graphics

        

        

          9
          
MASTER_SITES=  https://github.com/${PORTNAME}/${PORTNAME}/releases/download/gd-${PORTVERSION}/

          9
          
MASTER_SITES=  https://github.com/${PORTNAME}/${PORTNAME}/releases/download/gd-${PORTVERSION}/

        



(-)graphics/gd/files/patch-src_gd__webp.c      (working copy)
      (+27 lines)




  

    
      
            Line 0
          
      
      
        Link Here
      
    
  

            

              
              
              1
              
LibGD Issue: https://github.com/libgd/libgd/issues/308

            

            

              2
              
Commit: https://github.com/libgd/libgd/commit/40bec0f38f50e8510f5bb71a82f516d46facde03

            

            

              3
              

            

            

              4
              
Fix integer overflow in gdImageWebpCtx

            

            

              5
              

            

            

              6
              
Integer overflow can be happened in expression gdImageSX(im) * 4 *

            

            

              7
              
gdImageSY(im). It could lead to heap buffer overflow in the following

            

            

              8
              
code. This issue has been reported to the PHP Bug Tracking System. The

            

            

              9
              
proof-of-concept file will be supplied some days later. This issue was

            

            

              10
              
discovered by Ke Liu of Tencent's Xuanwu LAB.

            

            

              11
              
--- src/gd_webp.c.orig 2016-07-21 08:06:42 UTC

            

            

              12
              
+++ src/gd_webp.c

            

            

              13
              
@@ -126,6 +126,14 @@ void gdImageWebpCtx (gdImagePtr im, gdIO

            

            

              14
              
               quantization = 80;

            

            

              15
              
       }

            

            

              16
              
 

            

            

              17
              
+      if (overflow2(gdImageSX(im), 4)) {

            

            

              18
              
+              return;

            

            

              19
              
+      }

            

            

              20
              
+

            

            

              21
              
+      if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) {

            

            

              22
              
+              return;

            

            

              23
              
+      }

            

            

              24
              
+

            

            

              25
              
       argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im));

            

            

              26
              
       if (!argb) {

            

            

              27
              
               return;

            






  

  Return to bug 213020