summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Frysinger <vapier@gentoo.org>2005-12-21 01:55:23 +0000
committerMike Frysinger <vapier@gentoo.org>2005-12-21 01:55:23 +0000
commit1d1dd4e470bf35064541b091030b33434d3b7cc3 (patch)
tree72fda59bd99905a063171f3b91fa0d43d29275a2 /media-libs/gd/files
parentold (diff)
downloadhistorical-1d1dd4e470bf35064541b091030b33434d3b7cc3.tar.gz
historical-1d1dd4e470bf35064541b091030b33434d3b7cc3.tar.bz2
historical-1d1dd4e470bf35064541b091030b33434d3b7cc3.zip
Add some sanity checks to prevent overflows #112937.
Package-Manager: portage-2.0.53
Diffstat (limited to 'media-libs/gd/files')
-rw-r--r--media-libs/gd/files/digest-gd-2.0.331
-rw-r--r--media-libs/gd/files/gd-2.0.33-overflow-checks.patch49
2 files changed, 50 insertions, 0 deletions
diff --git a/media-libs/gd/files/digest-gd-2.0.33 b/media-libs/gd/files/digest-gd-2.0.33
new file mode 100644
index 000000000000..0fae85af693b
--- /dev/null
+++ b/media-libs/gd/files/digest-gd-2.0.33
@@ -0,0 +1 @@
+MD5 be0a6d326cd8567e736fbc75df0a5c45 gd-2.0.33.tar.gz 587617
diff --git a/media-libs/gd/files/gd-2.0.33-overflow-checks.patch b/media-libs/gd/files/gd-2.0.33-overflow-checks.patch
new file mode 100644
index 000000000000..6a028a13093d
--- /dev/null
+++ b/media-libs/gd/files/gd-2.0.33-overflow-checks.patch
@@ -0,0 +1,49 @@
+add some sanity checks to prevent integer overflows when
+allocating memory for big images
+
+http://bugs.gentoo.org/112937
+
+--- gd/gd.c
++++ gd/gd.c
+@@ -74,6 +74,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreate (i
+ im = (gdImage *) gdMalloc (sizeof (gdImage));
+ memset (im, 0, sizeof (gdImage));
+ /* Row-major ever since gd 1.3 */
++ if (overflow2(sizeof (unsigned char *), sy)) {
++ gdFree(im);
++ return NULL;
++ }
+ im->pixels = (unsigned char **) gdMalloc (sizeof (unsigned char *) * sy);
+ im->polyInts = 0;
+ im->polyAllocated = 0;
+@@ -114,6 +118,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateTru
+ gdImagePtr im;
+ im = (gdImage *) gdMalloc (sizeof (gdImage));
+ memset (im, 0, sizeof (gdImage));
++ if (overflow2(sizeof (int *), sy)) {
++ gdFree(im);
++ return NULL;
++ }
+ im->tpixels = (int **) gdMalloc (sizeof (int *) * sy);
+ im->polyInts = 0;
+ im->polyAllocated = 0;
+@@ -2462,6 +2470,8 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
+ }
+ bytes = (w * h / 8) + 1;
+ im = gdImageCreate (w, h);
++ if (!im)
++ return 0;
+ gdImageColorAllocate (im, 255, 255, 255);
+ gdImageColorAllocate (im, 0, 0, 0);
+ x = 0;
+--- gd/gd_gd.c
++++ gd/gd_gd.c
+@@ -149,6 +149,8 @@ _gdCreateFromFile (gdIOCtx * in, int *sx
+ {
+ im = gdImageCreate (*sx, *sy);
+ }
++ if (!im)
++ goto fail1;
+ if (!_gdGetColors (in, im, gd2xFlag))
+ {
+ goto fail2;