[packages/gd.git] / gd-security.patch

diff -u gd-2.0.28/gd.c gd-2.0.28/gd.c
--- gd-2.0.28/gd.c	2004-11-02 17:47:12.977824069 +0100
+++ gd-2.0.28/gd.c	2006-01-20 11:14:42.000000000 +0100
@@ -73,6 +73,11 @@
   gdImagePtr im;
   im = (gdImage *) gdMalloc (sizeof (gdImage));
   memset (im, 0, sizeof (gdImage));
+  if (overflow2(sizeof (unsigned char *), sy))
+  {
+    gdFree(im);
+    return NULL;
+  }
   /* Row-major ever since gd 1.3 */
   im->pixels = (unsigned char **) gdMalloc (sizeof (unsigned char *) * sy);
   im->polyInts = 0;
@@ -2586,6 +2591,9 @@
 	{
 	  im->polyAllocated *= 2;
 	}
+      if (overflow2(sizeof (int), im->polyAllocated)) {
+        return;
+      }
       im->polyInts = (int *) gdRealloc (im->polyInts,
 					sizeof (int) * im->polyAllocated);
     }
only in patch2:
unchanged:
--- gd-2.0.28/gdxpm.c.security	2006-01-20 11:14:52.000000000 +0100
+++ gd-2.0.28/gdxpm.c	2006-01-20 11:15:26.000000000 +0100
@@ -48,6 +48,9 @@
     return 0;
 
   number = image.ncolors;
+  if (overflow2(sizeof (int), number)) {
+    return 0;
+  }
   colors = (int *) gdMalloc (sizeof (int) * number);
   if (colors == NULL)
     return (0);
Commit	Line	Data
b6c3e5c7 JB	1	diff -u gd-2.0.28/gd.c gd-2.0.28/gd.c
	2	--- gd-2.0.28/gd.c 2004-11-02 17:47:12.977824069 +0100
	3	+++ gd-2.0.28/gd.c 2006-01-20 11:14:42.000000000 +0100
	4	@@ -73,6 +73,11 @@
	5	gdImagePtr im;
	6	im = (gdImage *) gdMalloc (sizeof (gdImage));
	7	memset (im, 0, sizeof (gdImage));
	8	+ if (overflow2(sizeof (unsigned char *), sy))
	9	+ {
	10	+ gdFree(im);
	11	+ return NULL;
	12	+ }
	13	/* Row-major ever since gd 1.3 */
	14	im->pixels = (unsigned char *) gdMalloc (sizeof (unsigned char ) * sy);
	15	im->polyInts = 0;
	16	@@ -2586,6 +2591,9 @@
	17	{
	18	im->polyAllocated *= 2;
	19	}
	20	+ if (overflow2(sizeof (int), im->polyAllocated)) {
	21	+ return;
	22	+ }
	23	im->polyInts = (int *) gdRealloc (im->polyInts,
	24	sizeof (int) * im->polyAllocated);
	25	}
	26	only in patch2:
	27	unchanged:
	28	--- gd-2.0.28/gdxpm.c.security 2006-01-20 11:14:52.000000000 +0100
	29	+++ gd-2.0.28/gdxpm.c 2006-01-20 11:15:26.000000000 +0100
	30	@@ -48,6 +48,9 @@
	31	return 0;
	32
	33	number = image.ncolors;
	34	+ if (overflow2(sizeof (int), number)) {
	35	+ return 0;
	36	+ }
	37	colors = (int ) gdMalloc (sizeof (int) number);
	38	if (colors == NULL)
	39	return (0);