SOURCES: gd-security.patch (NEW) - overflow fixes (from FC)

Sun Mar 5 15:22:26 CET 2006

Author: qboosh                       Date: Sun Mar  5 14:22:26 2006 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- overflow fixes (from FC)

---- Files affected:
SOURCES:
   gd-security.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/gd-security.patch
diff -u /dev/null SOURCES/gd-security.patch:1.1

--- /dev/null	Sun Mar  5 15:22:26 2006
+++ SOURCES/gd-security.patch	Sun Mar  5 15:22:21 2006
@@ -0,0 +1,39 @@
+diff -u gd-2.0.28/gd.c gd-2.0.28/gd.c
+--- gd-2.0.28/gd.c	2004-11-02 17:47:12.977824069 +0100
++++ gd-2.0.28/gd.c	2006-01-20 11:14:42.000000000 +0100
+@@ -73,6 +73,11 @@
+   gdImagePtr im;
+   im = (gdImage *) gdMalloc (sizeof (gdImage));
+   memset (im, 0, sizeof (gdImage));
++  if (overflow2(sizeof (unsigned char *), sy))
++  {
++    gdFree(im);
++    return NULL;
++  }
+   /* Row-major ever since gd 1.3 */
+   im->pixels = (unsigned char **) gdMalloc (sizeof (unsigned char *) * sy);
+   im->polyInts = 0;
+@@ -2586,6 +2591,9 @@
+ 	{
+ 	  im->polyAllocated *= 2;
+ 	}
++      if (overflow2(sizeof (int), im->polyAllocated)) {
++        return;
++      }
+       im->polyInts = (int *) gdRealloc (im->polyInts,
+ 					sizeof (int) * im->polyAllocated);
+     }
+only in patch2:
+unchanged:
+--- gd-2.0.28/gdxpm.c.security	2006-01-20 11:14:52.000000000 +0100
++++ gd-2.0.28/gdxpm.c	2006-01-20 11:15:26.000000000 +0100
+@@ -48,6 +48,9 @@
+     return 0;
+ 
+   number = image.ncolors;
++  if (overflow2(sizeof (int), number)) {
++    return 0;
++  }
+   colors = (int *) gdMalloc (sizeof (int) * number);
+   if (colors == NULL)
+     return (0);
================================================================
