--- gd-2.0.33/gd.c 2008-02-15 15:21:21.000000000 +0100
+++ gd-2.0.33/gd.c.sigsegv 2008-02-15 15:21:27.000000000 +0100
@@ -71,15 +72,27 @@ BGD_DECLARE(gdImagePtr) gdImageCreate (i
{
int i;
gdImagePtr im;
+
+ if (overflow2(sizeof (unsigned char *), sy)) {
+ return NULL;
+ }
+ if (overflow2(sizeof (unsigned char *), sx)) {
+ return NULL;
+ }
+
im = (gdImage *) gdMalloc (sizeof (gdImage));
+ if (!im) {
+ return NULL;
+ }
+
memset (im, 0, sizeof (gdImage));
- if (overflow2(sizeof (unsigned char *), sy))
- {
- gdFree(im);
- return NULL;
- }
/* Row-major ever since gd 1.3 */
im->pixels = (unsigned char **) gdMalloc (sizeof (unsigned char *) * sy);
+ if (!im->pixels) {
+ gdFree(im);
+ return NULL;
+ }
+
im->polyInts = 0;
im->polyAllocated = 0;
im->brush = 0;
@@ -89,6 +102,17 @@ BGD_DECLARE(gdImagePtr) gdImageCreate (i
{
/* Row-major ever since gd 1.3 */
im->pixels[i] = (unsigned char *) gdCalloc (sx, sizeof (unsigned char));
+ if (!im->pixels[i])
+ {
+ for (--i ; i >= 0; i--)
+ {
+ gdFree(im->pixels[i]);
+ }
+ gdFree(im->pixels);
+ gdFree(im);
+ return NULL;
+ }
+
}
im->sx = sx;
im->sy = sy;
@@ -117,9 +141,30 @@ BGD_DECLARE(gdImagePtr) gdImageCreateTru
{
int i;
gdImagePtr im;
+
+ if (overflow2(sx, sy)) {
+ return NULL;
+ }
+
+ if (overflow2(sizeof (int *), sy)) {
+ return 0;
+ }
+
+ if (overflow2(sizeof(int), sx)) {
+ return NULL;
+ }
+
im = (gdImage *) gdMalloc (sizeof (gdImage));
+ if (!im) {
+ return 0;
+ }
memset (im, 0, sizeof (gdImage));
+
im->tpixels = (int **) gdMalloc (sizeof (int *) * sy);
+ if (!im->tpixels) {
+ gdFree(im);
+ return 0;
+ }
im->polyInts = 0;
im->polyAllocated = 0;
im->brush = 0;
@@ -128,6 +173,17 @@ BGD_DECLARE(gdImagePtr) gdImageCreateTru
for (i = 0; (i < sy); i++)
{
im->tpixels[i] = (int *) gdCalloc (sx, sizeof (int));
+ if (!im->tpixels[i]) {
+ /* 2.0.34 */
+ i--;
+ while (i >= 0) {
+ gdFree(im->tpixels[i]);
+ i--;
+ }
+ gdFree(im->tpixels);
+ gdFree(im);
+ return 0;
+ }
}
im->sx = sx;
im->sy = sy;
@@ -2467,6 +2855,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
}
bytes = (w * h / 8) + 1;
im = gdImageCreate (w, h);
+ if (!im) {
+ return 0;
+ }
+
gdImageColorAllocate (im, 255, 255, 255);
gdImageColorAllocate (im, 0, 0, 0);
x = 0;
@@ -2597,6 +2989,9 @@ BGD_DECLARE(void) gdImageFilledPolygon (
return;
}
im->polyInts = (int *) gdMalloc (sizeof (int) * n);
+ if (!im->polyInts) {
+ return;
+ }
im->polyAllocated = n;
}
if (im->polyAllocated < n)
@@ -2610,6 +3005,9 @@ BGD_DECLARE(void) gdImageFilledPolygon (
}
im->polyInts = (int *) gdRealloc (im->polyInts,
sizeof (int) * im->polyAllocated);
+ if (!im->polyInts) {
+ return;
+ }
}
miny = p[0].y;
maxy = p[0].y;
@@ -2764,6 +3162,9 @@ BGD_DECLARE(void) gdImageSetStyle (gdIma
return;
}
im->style = (int *) gdMalloc (sizeof (int) * noOfPixels);
+ if (!im->style) {
+ return;
+ }
memcpy (im->style, style, sizeof (int) * noOfPixels);
im->styleLength = noOfPixels;
im->stylePos = 0;
--- gd-2.0.33/gd_gif_in.c 2008-02-18 12:17:09.000000000 +0100
+++ gd-2.0.33/gd_gif_in.c_maxcol 2008-02-18 12:17:16.000000000 +0100
@@ -523,6 +523,10 @@ ReadImage(gdImagePtr im, gdIOCtx *fd, in
/*} */
while ((v = LWZReadByte(fd,FALSE,c, ZeroDataBlockP)) >= 0 ) {
+ if (v >= gdMaxColors) {
+ v = 0;
+ }
+
/* This how we recognize which colors are actually used. */
if (im->open[v]) {
im->open[v] = 0;
--- gd-2.0.33/gdft.c 2004-11-02 22:00:48.000000000 +0100
+++ gd-2.0.33/gdft.c_null 2008-02-18 12:57:05.000000000 +0100
@@ -1161,7 +1161,7 @@ fprintf(stderr,"dpi=%d,%d metric_res=%d
{
ch = c & 0xFF; /* don't extend sign */
}
- next++;
+ if(*next) next++;
}
break;
case gdFTEX_Big5:
--- gd-2.0.33/gd_png.c 2004-10-28 20:09:52.000000000 +0200
+++ gd-2.0.33/gd_png.c_endloop 2008-02-18 16:04:08.000000000 +0100
@@ -82,7 +82,11 @@ gdPngErrorHandler (png_structp png_ptr,
static void
gdPngReadData (png_structp png_ptr, png_bytep data, png_size_t length)
{
- gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
+ int check;
+ check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
+ if (check != length) {
+ png_error(png_ptr, "Read Error: truncated data");
+ }
}
static void
--- gd-2.0.33/gd_gif_in.c 2008-02-18 16:25:01.000000000 +0100
+++ gd-2.0.33/gd_gif_in.c_gcolmap 2008-02-18 16:25:07.000000000 +0100
@@ -118,7 +118,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
char version[4];
/* 2.0.28: threadsafe storage */
int ZeroDataBlock = FALSE;
-
+ int haveGlobalColormap;
gdImagePtr im = 0;
if (! ReadOK(fd,buf,6)) {
return 0;
@@ -142,11 +142,13 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
AspectRatio = buf[6];
#endif
- if (BitSet(buf[4], LOCALCOLORMAP)) { /* Global Colormap */
- if (ReadColorMap(fd, BitPixel, ColorMap)) {
- return 0;
- }
- }
+ haveGlobalColormap = BitSet(buf[4], LOCALCOLORMAP); /* Global Colormap */
+ if (haveGlobalColormap) {
+ if (ReadColorMap(fd, BitPixel, ColorMap)) {
+ return 0;
+ }
+ }
+
for (;;) {
if (! ReadOK(fd,&c,1)) {
return 0;
@@ -185,11 +187,16 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
im->interlace = BitSet(buf[8], INTERLACE);
if (! useGlobalColormap) {
if (ReadColorMap(fd, bitPixel, localColorMap)) {
+ gdImageDestroy(im);
return 0;
}
ReadImage(im, fd, imw, imh, localColorMap,
BitSet(buf[8], INTERLACE), &ZeroDataBlock);
} else {
+ if (!haveGlobalColormap) {
+ gdImageDestroy(im);
+ return 0;
+ }
ReadImage(im, fd, imw, imh,
ColorMap,
BitSet(buf[8], INTERLACE), &ZeroDataBlock);
--- gd-2.0.33/gd_gif_in.c 2008-02-18 16:37:05.000000000 +0100
+++ gd-2.0.33/gd_gif_in.c_431568 2008-02-18 16:37:10.000000000 +0100
@@ -212,6 +212,11 @@ terminated:
if (!im) {
return 0;
}
+ if (!im->colorsTotal) {
+ gdImageDestroy(im);
+ return 0;
+ }
+
/* Check for open colors at the end, so
we can reduce colorsTotal and ultimately
BitsPerPixel */
@@ -500,6 +505,18 @@ ReadImage(gdImagePtr im, gdIOCtx *fd, in
int v;
int xpos = 0, ypos = 0, pass = 0;
int i;
+
+ /*
+ ** Initialize the Compression routines
+ */
+ if (! ReadOK(fd,&c,1)) {
+ return;
+ }
+
+ if (c > MAX_LWZ_BITS) {
+ return;
+ }
+
/* Stash the color map into the image */
for (i=0; (i<gdMaxColors); i++) {
im->red[i] = cmap[CM_RED][i];
@@ -509,12 +526,6 @@ ReadImage(gdImagePtr im, gdIOCtx *fd, in
}
/* Many (perhaps most) of these colors will remain marked open. */
im->colorsTotal = gdMaxColors;
- /*
- ** Initialize the Compression routines
- */
- if (! ReadOK(fd,&c,1)) {
- return;
- }
if (LWZReadByte(fd, TRUE, c, ZeroDataBlockP) < 0) {
return;
}
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
75e436c6e0c1d17f6e6bcc0ec0f26a39
>
files
>
6
