1 files changed, 40 insertions, 0 deletions

diff --git a/lang/php5/patches/patch-ac b/lang/php5/patches/patch-ac
new file mode 100644
index 00000000000..39d6a620db1
--- /dev/null
+++ b/lang/php5/patches/patch-ac
@@ -0,0 +1,40 @@
+$NetBSD: patch-ac,v 1.4 2007/05/06 13:08:33 tron Exp $
+
+Patch for CVE-2007-1001, taken from here:
+
+http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.5&r2=1.5.6.1&view=patch
+
+--- ext/gd/libgd/wbmp.c.orig	2003-12-31 01:01:44.000000000 +0000
++++ ext/gd/libgd/wbmp.c	2007-05-06 13:41:13.000000000 +0100
+@@ -116,6 +116,15 @@
+   if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL)
+     return (NULL);
+ 
++  if (overflow2(sizeof (int), width)) {
++    gdFree(wbmp);
++    return NULL;
++  }
++  if (overflow2(sizeof (int) * width, height)) {
++    gdFree(wbmp);
++    return NULL;
++  }
++
+   if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), width * height, 0)) == NULL)
+     {
+       gdFree (wbmp);
+@@ -176,7 +185,14 @@
+   printf ("W: %d, H: %d\n", wbmp->width, wbmp->height);
+ #endif
+ 
+-  if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL)
++  if (overflow2(sizeof (int), wbmp->width) ||
++    overflow2(sizeof (int) * wbmp->width, wbmp->height))
++    {
++      gdFree(wbmp);
++      return (-1);
++    }
++
++  if ((wbmp->bitmap = (int *) safe_emalloc((size_t)wbmp->width * wbmp->height, sizeof(int), 0)) == NULL)
+     {
+       gdFree (wbmp);
+       return (-1);