]>
Commit | Line | Data |
---|---|---|
b6c3e5c7 JB |
1 | diff -u gd-2.0.28/gd.c gd-2.0.28/gd.c |
2 | --- gd-2.0.28/gd.c 2004-11-02 17:47:12.977824069 +0100 | |
3 | +++ gd-2.0.28/gd.c 2006-01-20 11:14:42.000000000 +0100 | |
4 | @@ -73,6 +73,11 @@ | |
5 | gdImagePtr im; | |
6 | im = (gdImage *) gdMalloc (sizeof (gdImage)); | |
7 | memset (im, 0, sizeof (gdImage)); | |
8 | + if (overflow2(sizeof (unsigned char *), sy)) | |
9 | + { | |
10 | + gdFree(im); | |
11 | + return NULL; | |
12 | + } | |
13 | /* Row-major ever since gd 1.3 */ | |
14 | im->pixels = (unsigned char **) gdMalloc (sizeof (unsigned char *) * sy); | |
15 | im->polyInts = 0; | |
16 | @@ -2586,6 +2591,9 @@ | |
17 | { | |
18 | im->polyAllocated *= 2; | |
19 | } | |
20 | + if (overflow2(sizeof (int), im->polyAllocated)) { | |
21 | + return; | |
22 | + } | |
23 | im->polyInts = (int *) gdRealloc (im->polyInts, | |
24 | sizeof (int) * im->polyAllocated); | |
25 | } | |
26 | only in patch2: | |
27 | unchanged: | |
28 | --- gd-2.0.28/gdxpm.c.security 2006-01-20 11:14:52.000000000 +0100 | |
29 | +++ gd-2.0.28/gdxpm.c 2006-01-20 11:15:26.000000000 +0100 | |
30 | @@ -48,6 +48,9 @@ | |
31 | return 0; | |
32 | ||
33 | number = image.ncolors; | |
34 | + if (overflow2(sizeof (int), number)) { | |
35 | + return 0; | |
36 | + } | |
37 | colors = (int *) gdMalloc (sizeof (int) * number); | |
38 | if (colors == NULL) | |
39 | return (0); |