FreeBSD Bugzilla – Attachment 175197 Details for
Bug 213020
graphics/gd: Fix integer overflow in gdImageWebpCtx
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Fix integer overflow in gdImageWebpCtx
file_213020.txt (text/plain), 1.68 KB, created by
VK
on 2016-09-27 13:27:17 UTC
(
hide
)
Description:
Fix integer overflow in gdImageWebpCtx
Filename:
MIME Type:
Creator:
VK
Created:
2016-09-27 13:27:17 UTC
Size:
1.68 KB
patch
obsolete
>Index: graphics/gd/Makefile >=================================================================== >--- graphics/gd/Makefile (revision 422812) >+++ graphics/gd/Makefile (working copy) >@@ -3,7 +3,7 @@ > > PORTNAME= libgd > PORTVERSION= 2.2.3 >-PORTREVISION?= 0 >+PORTREVISION?= 1 > PORTEPOCH= 1 > CATEGORIES+= graphics > MASTER_SITES= https://github.com/${PORTNAME}/${PORTNAME}/releases/download/gd-${PORTVERSION}/ >Index: graphics/gd/files/patch-src_gd__webp.c >=================================================================== >--- graphics/gd/files/patch-src_gd__webp.c (nonexistent) >+++ graphics/gd/files/patch-src_gd__webp.c (working copy) >@@ -0,0 +1,27 @@ >+LibGD Issue: https://github.com/libgd/libgd/issues/308 >+Commit: https://github.com/libgd/libgd/commit/40bec0f38f50e8510f5bb71a82f516d46facde03 >+ >+Fix integer overflow in gdImageWebpCtx >+ >+Integer overflow can be happened in expression gdImageSX(im) * 4 * >+gdImageSY(im). It could lead to heap buffer overflow in the following >+code. This issue has been reported to the PHP Bug Tracking System. The >+proof-of-concept file will be supplied some days later. This issue was >+discovered by Ke Liu of Tencent's Xuanwu LAB. >+--- src/gd_webp.c.orig 2016-07-21 08:06:42 UTC >++++ src/gd_webp.c >+@@ -126,6 +126,14 @@ void gdImageWebpCtx (gdImagePtr im, gdIO >+ quantization = 80; >+ } >+ >++ if (overflow2(gdImageSX(im), 4)) { >++ return; >++ } >++ >++ if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) { >++ return; >++ } >++ >+ argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im)); >+ if (!argb) { >+ return;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Flags:
vlad-fbsd
:
maintainer-approval?
(
dinoex
)
Actions:
View
|
Diff
Attachments on
bug 213020
: 175197