Fix #73003: Integer Overflow in gdImageWebpCtx of gd_webp.c

We add the missing integer overflow check to avoid potential buffer overflows.
Kaiserchen · Sep 16, 2016 · 46df064 · 46df064
1 parent 3c117d4
commit 46df064
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/NEWS b/NEWS
@@ -22,6 +22,8 @@ PHP                                                                        NEWS
     (cmb)
   . Fixed bug #50194 (imagettftext broken on transparent background w/o
     alphablending). (cmb)
+  . Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c). (trylab,
+    cmb)
 
 - Mbstring:
   . Fixed bug #72994 (mbc_to_code() out of bounds read). (Laruence, cmb)

diff --git a/ext/gd/libgd/gd_webp.c b/ext/gd/libgd/gd_webp.c
@@ -180,6 +180,15 @@ void gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quantization)
 	/* Conversion to Y,U,V buffer */
     yuv_width = (width + 1) >> 1;
     yuv_height = (height + 1) >> 1;
+
+	if (overflow2(width, height)) {
+		return;
+	}
+	/* simplification possible, because WebP must not be larger than 16384**2 */
+	if (overflow2(width * height, 2 * sizeof(unsigned char))) {
+		return;
+	}
+
     yuv_nbytes = width * height + 2 * yuv_width * yuv_height;
 
     if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) {