diff options
| -rw-r--r-- | ext/gd/libgd/gd_gd2.c | 21 | ||||
| -rw-r--r-- | ext/gd/libgd/gd_jpeg.c | 6 |
2 files changed, 22 insertions, 5 deletions
diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c index 80fb2b8a96..5034afec60 100644 --- a/ext/gd/libgd/gd_gd2.c +++ b/ext/gd/libgd/gd_gd2.c @@ -139,6 +139,9 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in nc = (*ncx) * (*ncy); GD2_DBG(php_gd_error("Reading %d chunk index entries\n", nc)); sidx = sizeof(t_chunk_info) * nc; + if (sidx <= 0) { + goto fail1; + } cidx = gdCalloc(sidx, 1); for (i = 0; i < nc; i++) { if (gdGetInt(&cidx[i].offset, in) != 1) { @@ -272,6 +275,9 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in) /* Allocate buffers */ chunkMax = cs * bytesPerPixel * cs; + if (chunkMax <= 0) { + return 0; + } chunkBuf = gdCalloc(chunkMax, 1); compBuf = gdCalloc(compMax, 1); @@ -447,6 +453,10 @@ gdImagePtr gdImageCreateFromGd2PartCtx (gdIOCtx * in, int srcx, int srcy, int w, } else { chunkMax = cs * cs; } + if (chunkMax <= 0) { + goto fail2; + } + chunkBuf = gdCalloc(chunkMax, 1); compBuf = gdCalloc(compMax, 1); } @@ -659,7 +669,11 @@ static void _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt) compMax = (int)(cs * bytesPerPixel * cs * 1.02f) + 12; /* Allocate the buffers. */ - chunkData = gdCalloc(cs * bytesPerPixel * cs, 1); + chunkData = safe_emalloc(cs * bytesPerPixel, cs, 0); + memset(chunkData, 0, cs * bytesPerPixel * cs); + if (compMax <= 0) { + goto fail; + } compData = gdCalloc(compMax, 1); /* Save the file position of chunk index, and allocate enough space for @@ -670,7 +684,8 @@ static void _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt) GD2_DBG(php_gd_error("Index size is %d\n", idxSize)); gdSeek(out, idxPos + idxSize); - chunkIdx = gdCalloc(idxSize * sizeof(t_chunk_info), 1); + chunkIdx = safe_emalloc(idxSize, sizeof(t_chunk_info), 0); + memset(chunkIdx, 0, idxSize * sizeof(t_chunk_info)); } _gdPutColors (im, out); @@ -754,7 +769,7 @@ static void _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt) } gdSeek(out, posSave); } - +fail: GD2_DBG(php_gd_error("Freeing memory\n")); if (chunkData) { gdFree(chunkData); diff --git a/ext/gd/libgd/gd_jpeg.c b/ext/gd/libgd/gd_jpeg.c index 8fe30108f8..0f0211c4b5 100644 --- a/ext/gd/libgd/gd_jpeg.c +++ b/ext/gd/libgd/gd_jpeg.c @@ -144,7 +144,8 @@ void gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality) jpeg_gdIOCtx_dest (&cinfo, outfile); - row = (JSAMPROW) gdCalloc (1, cinfo.image_width * cinfo.input_components * sizeof (JSAMPLE)); + row = (JSAMPROW) safe_emalloc(cinfo.image_width * cinfo.input_components, sizeof(JSAMPLE), 0); + memset(row, 0, cinfo.image_width * cinfo.input_components * sizeof(JSAMPLE)); rowptr[0] = row; jpeg_start_compress (&cinfo, TRUE); @@ -310,7 +311,8 @@ gdImagePtr gdImageCreateFromJpegCtx (gdIOCtx * infile) goto error; #endif /* BITS_IN_JSAMPLE == 12 */ - row = gdCalloc (cinfo.output_width * 3, sizeof (JSAMPLE)); + row = safe_emalloc(cinfo.output_width * 3, sizeof(JSAMPLE), 0); + memset(row, 0, cinfo.output_width * 3 * sizeof(JSAMPLE)); rowptr[0] = row; for (i = 0; i < cinfo.output_height; i++) { |