diff options
Diffstat (limited to 'lang/php5/patches/patch-ac')
-rw-r--r-- | lang/php5/patches/patch-ac | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/lang/php5/patches/patch-ac b/lang/php5/patches/patch-ac new file mode 100644 index 00000000000..39d6a620db1 --- /dev/null +++ b/lang/php5/patches/patch-ac @@ -0,0 +1,40 @@ +$NetBSD: patch-ac,v 1.4 2007/05/06 13:08:33 tron Exp $ + +Patch for CVE-2007-1001, taken from here: + +http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.5&r2=1.5.6.1&view=patch + +--- ext/gd/libgd/wbmp.c.orig 2003-12-31 01:01:44.000000000 +0000 ++++ ext/gd/libgd/wbmp.c 2007-05-06 13:41:13.000000000 +0100 +@@ -116,6 +116,15 @@ + if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL) + return (NULL); + ++ if (overflow2(sizeof (int), width)) { ++ gdFree(wbmp); ++ return NULL; ++ } ++ if (overflow2(sizeof (int) * width, height)) { ++ gdFree(wbmp); ++ return NULL; ++ } ++ + if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), width * height, 0)) == NULL) + { + gdFree (wbmp); +@@ -176,7 +185,14 @@ + printf ("W: %d, H: %d\n", wbmp->width, wbmp->height); + #endif + +- if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL) ++ if (overflow2(sizeof (int), wbmp->width) || ++ overflow2(sizeof (int) * wbmp->width, wbmp->height)) ++ { ++ gdFree(wbmp); ++ return (-1); ++ } ++ ++ if ((wbmp->bitmap = (int *) safe_emalloc((size_t)wbmp->width * wbmp->height, sizeof(int), 0)) == NULL) + { + gdFree (wbmp); + return (-1); |