equal
deleted
inserted
replaced
|
1 Fix for CVE-2016-10168 |
|
2 Signed Integer Overflow gd_io.c |
|
3 |
|
4 Change based on commit at: |
|
5 |
|
6 https://github.com/libgd/libgd/commit/69d2fd2c597ffc0c217de1238b9bf4d4bceba8e6 |
|
7 |
|
8 --- gd_gd2.c.orig 2017-01-31 07:21:54.267718272 +0000 |
|
9 +++ gd_gd2.c 2017-01-31 07:24:36.616401175 +0000 |
|
10 @@ -167,6 +167,11 @@ |
|
11 |
|
12 if (gd2_compressed (*fmt)) |
|
13 { |
|
14 + if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) |
|
15 + { |
|
16 + GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy)); |
|
17 + goto fail1; |
|
18 + } |
|
19 nc = (*ncx) * (*ncy); |
|
20 GD2_DBG (printf ("Reading %d chunk index entries\n", nc)); |
|
21 sidx = sizeof (t_chunk_info) * nc; |