Attachment #26013 for bug #62666

View | Details | Raw Unified | Return to bug 62666
Collapse All | Expand All

Lines 342-352 Link Here

(-)gd_png.c.security (+14 lines)
342		342
343	/* allocate space for the PNG image data */	343	/* allocate space for the PNG image data */
344	rowbytes = png_get_rowbytes(png_ptr, info_ptr);	344	rowbytes = png_get_rowbytes(png_ptr, info_ptr);
		345	if (overflow2(rowbytes, height)) {
		346	png_destroy_read_struct (&png_ptr, &info_ptr, NULL);
		347	return NULL;
		348	}
345	if ((image_data = (png_bytep)gdMalloc(rowbytes*height)) == NULL) {	349	if ((image_data = (png_bytep)gdMalloc(rowbytes*height)) == NULL) {
346	fprintf(stderr, "gd-png error: cannot allocate image data\n");	350	fprintf(stderr, "gd-png error: cannot allocate image data\n");
347	png_destroy_read_struct(&png_ptr, &info_ptr, NULL);	351	png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
348	return NULL;	352	return NULL;
349	}	353	}
		354	if (overflow2(height, sizeof (png_bytep))) {
		355	png_destroy_read_struct (&png_ptr, &info_ptr, NULL);
		356	gdFree (image_data);
		357	return NULL;
		358	}
350	if ((row_pointers = (png_bytepp)gdMalloc(height*sizeof(png_bytep))) == NULL) {	359	if ((row_pointers = (png_bytepp)gdMalloc(height*sizeof(png_bytep))) == NULL) {
351	fprintf(stderr, "gd-png error: cannot allocate row pointers\n");	360	fprintf(stderr, "gd-png error: cannot allocate row pointers\n");
352	png_destroy_read_struct(&png_ptr, &info_ptr, NULL);	361	png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
Lines 577-591 Link Here
577	* interlaced images, but interlacing causes some serious complications. */	586	* interlaced images, but interlacing causes some serious complications. */
578	if (remap) {	587	if (remap) {
579	png_bytep *row_pointers;	588	png_bytep *row_pointers;
		589	if (overflow2(sizeof (png_bytep), height)) {
		590	return;
		591	}
580	row_pointers = gdMalloc(sizeof(png_bytep) * height);	592	row_pointers = gdMalloc(sizeof(png_bytep) * height);
581	if (row_pointers == NULL) {	593	if (row_pointers == NULL) {
582	fprintf(stderr, "gd-png error: unable to allocate row_pointers\n");	594	fprintf(stderr, "gd-png error: unable to allocate row_pointers\n");
		595	return;
583	}	596	}
584	for (j = 0; j < height; ++j) {	597	for (j = 0; j < height; ++j) {
585	if ((row_pointers[j] = (png_bytep)gdMalloc(width)) == NULL) {	598	if ((row_pointers[j] = (png_bytep)gdMalloc(width)) == NULL) {
586	fprintf(stderr, "gd-png error: unable to allocate rows\n");	599	fprintf(stderr, "gd-png error: unable to allocate rows\n");
587	for (i = 0; i < j; ++i)	600	for (i = 0; i < j; ++i)
588	gdFree(row_pointers[i]);	601	gdFree(row_pointers[i]);
		602	gdFree(row_pointers);
589	return;	603	return;
590	}	604	}
591	for (i = 0; i < width; ++i)	605	for (i = 0; i < width; ++i)




/*
   * gd_security.c
   *
   * Implements buffer overflow check routines.
   *
   * Written 2004, Phil Knirsch.
   * Based on netpbm fixes by Alan Cox.
   *
 */

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif

#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include "gd.h"

int overflow2(int a, int b)
{
	if(a < 0 || b < 0) {
		fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
		return 1;
	}
	if(b == 0)
		return 0;
	if(a > INT_MAX / b) {
		fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
		return 1;
	}
	return 0;
}

Lines 108-113 Link Here

(-)wbmp.c.security (-1 / +13 lines)
108	if ( (wbmp = (Wbmp *) gdMalloc( sizeof(Wbmp) )) == NULL)	108	if ( (wbmp = (Wbmp *) gdMalloc( sizeof(Wbmp) )) == NULL)
109	return (NULL);	109	return (NULL);
110		110
		111	if (overflow2(sizeof(int), width))
		112	{
		113	gdFree( wbmp );
		114	return (NULL);
		115	}
		116	if (overflow2(sizeof(int)*width, height))
		117	{
		118	gdFree( wbmp );
		119	return (NULL);
		120	}
111	if ( (wbmp->bitmap = (int ) gdMalloc( sizeof(int)width*height )) == NULL)	121	if ( (wbmp->bitmap = (int ) gdMalloc( sizeof(int)width*height )) == NULL)
112	{	122	{
113	gdFree( wbmp );	123	gdFree( wbmp );
Lines 167-173 Link Here
167	printf("W: %d, H: %d\n", wbmp->width, wbmp->height);	177	printf("W: %d, H: %d\n", wbmp->width, wbmp->height);
168	#endif	178	#endif
169		179
170	if ( (wbmp->bitmap = (int ) gdMalloc( sizeof(int)wbmp->width*wbmp->height )) == NULL)	180	if ( overflow2(sizeof (int), wbmp->width) \|\|
		181	overflow2(sizeof (int) * wbmp->width, wbmp->height) \|\|
		182	(wbmp->bitmap = (int ) gdMalloc( sizeof(int)wbmp->width*wbmp->height )) == NULL)
171	{	183	{
172	gdFree( wbmp );	184	gdFree( wbmp );
173	return (-1);	185	return (-1);

Lines 62-67 Link Here

(-)gd.c.security (+20 lines)
62	int i;	62	int i;
63	gdImagePtr im;	63	gdImagePtr im;
64	im = (gdImage *) gdMalloc(sizeof(gdImage));	64	im = (gdImage *) gdMalloc(sizeof(gdImage));
		65	if (overflow2(sizeof (unsigned char *), sy))
		66	{
		67	gdFree(im);
		68	return NULL;
		69	}
65	/* NOW ROW-MAJOR IN GD 1.3 */	70	/* NOW ROW-MAJOR IN GD 1.3 */
66	im->pixels = (unsigned char *) gdMalloc(sizeof(unsigned char ) * sy);	71	im->pixels = (unsigned char *) gdMalloc(sizeof(unsigned char ) * sy);
67	im->polyInts = 0;	72	im->polyInts = 0;
Lines 1240-1245 Link Here
1240	/* We only need to use floating point to determine the correct	1245	/* We only need to use floating point to determine the correct
1241	stretch vector for one line's worth. */	1246	stretch vector for one line's worth. */
1242	double accum;	1247	double accum;
		1248	if (overflow2(sizeof (int), srcW) \|\| overflow2(sizeof (int), srcH)) {
		1249	return;
		1250	}
1243	stx = (int ) gdMalloc(sizeof(int) srcW);	1251	stx = (int ) gdMalloc(sizeof(int) srcW);
1244	sty = (int ) gdMalloc(sizeof(int) srcH);	1252	sty = (int ) gdMalloc(sizeof(int) srcH);
1245	accum = 0;	1253	accum = 0;
Lines 1371-1376 Link Here
1371	}	1379	}
1372	bytes = (w * h / 8) + 1;	1380	bytes = (w * h / 8) + 1;
1373	im = gdImageCreate(w, h);	1381	im = gdImageCreate(w, h);
		1382	if(!im) {
		1383	return 0;
		1384	}
1374	gdImageColorAllocate(im, 255, 255, 255);	1385	gdImageColorAllocate(im, 255, 255, 255);
1375	gdImageColorAllocate(im, 0, 0, 0);	1386	gdImageColorAllocate(im, 0, 0, 0);
1376	x = 0;	1387	x = 0;
Lines 1462-1467 Link Here
1462	return;	1473	return;
1463	}	1474	}
1464	if (!im->polyAllocated) {	1475	if (!im->polyAllocated) {
		1476	if (overflow2(sizeof (int), n)) {
		1477	return;
		1478	}
1465	im->polyInts = (int ) gdMalloc(sizeof(int) n);	1479	im->polyInts = (int ) gdMalloc(sizeof(int) n);
1466	im->polyAllocated = n;	1480	im->polyAllocated = n;
1467	}	1481	}
Lines 1469-1474 Link Here
1469	while (im->polyAllocated < n) {	1483	while (im->polyAllocated < n) {
1470	im->polyAllocated *= 2;	1484	im->polyAllocated *= 2;
1471	}	1485	}
		1486	if (overflow2(sizeof (int), im->polyAllocated)) {
		1487	return;
		1488	}
1472	im->polyInts = (int *) gdRealloc(im->polyInts,	1489	im->polyInts = (int *) gdRealloc(im->polyInts,
1473	sizeof(int) * im->polyAllocated);	1490	sizeof(int) * im->polyAllocated);
1474	}	1491	}
Lines 1534-1539 Link Here
1534	if (im->style) {	1551	if (im->style) {
1535	gdFree(im->style);	1552	gdFree(im->style);
1536	}	1553	}
		1554	if (overflow2(sizeof (int), noOfPixels)) {
		1555	return;
		1556	}
1537	im->style = (int *)	1557	im->style = (int *)
1538	gdMalloc(sizeof(int) * noOfPixels);	1558	gdMalloc(sizeof(int) * noOfPixels);
1539	memcpy(im->style, style, sizeof(int) * noOfPixels);	1559	memcpy(im->style, style, sizeof(int) * noOfPixels);

Lines 13-17 Link Here

(-)gdhelpers.h.security (+7 lines)
13	void *gdMalloc(size_t size);	13	void *gdMalloc(size_t size);
14	void gdRealloc(void ptr, size_t size);	14	void gdRealloc(void ptr, size_t size);
15		15
		16	/* Returns nonzero if multiplying the two quantities will
		17	result in integer overflow. Also returns nonzero if
		18	either quantity is negative. By Phil Knirsch based on
		19	netpbm fixes by Alan Cox. */
		20
		21	int overflow2(int a, int b);
		22
16	#endif /* GDHELPERS_H */	23	#endif /* GDHELPERS_H */
17		24

Lines 165-170 Link Here

(-)gd_io_dp.c.security (+6 lines)
165		165
166	bytesNeeded = pos;	166	bytesNeeded = pos;
167	if (bytesNeeded > dp->realSize) {	167	if (bytesNeeded > dp->realSize) {
		168	if (overflow2(dp->realSize, 2)) {
		169	return FALSE;
		170	}
168	if (!gdReallocDynamic(dp,dp->realSize*2)) {	171	if (!gdReallocDynamic(dp,dp->realSize*2)) {
169	dp->dataGood = FALSE;	172	dp->dataGood = FALSE;
170	return FALSE;	173	return FALSE;
Lines 311-316 Link Here
311	bytesNeeded = dp->pos + size;	314	bytesNeeded = dp->pos + size;
312		315
313	if (bytesNeeded > dp->realSize) {	316	if (bytesNeeded > dp->realSize) {
		317	if (overflow2(bytesNeeded, 2)) {
		318	return FALSE;
		319	}
314	if (!gdReallocDynamic(dp,bytesNeeded*2)) {	320	if (!gdReallocDynamic(dp,bytesNeeded*2)) {
315	dp->dataGood = FALSE;	321	dp->dataGood = FALSE;
316	return FALSE;	322	return FALSE;

Lines 75-81 Link Here

(-)gd_gd.c.security (-1 / +3 lines)
75	GD2_DBG(printf("Image is %dx%d\n", sx, sy));	75	GD2_DBG(printf("Image is %dx%d\n", sx, sy));
76		76
77	im = gdImageCreate(sx, sy);	77	im = gdImageCreate(sx, sy);
78		78	if (!im) {
		79	goto fail1;
		80	}
79	if (!_gdGetColors(in, im)) {	81	if (!_gdGetColors(in, im)) {
80	goto fail2;	82	goto fail2;
81	}	83	}

Lines 41-46 Link Here

(-)gdxpm.c.security (-6 / +3 lines)
41	return 0;	41	return 0;
42		42
43	number = image.ncolors;	43	number = image.ncolors;
		44	if (overflow2(sizeof (int), number)) {
		45	return 0;
		46	}
44	colors = (int)gdMalloc(sizeof(int) number);	47	colors = (int)gdMalloc(sizeof(int) number);
45	if (colors == NULL)	48	if (colors == NULL)
46	return(0);	49	return(0);
Lines 124-134 Link Here
124	fprintf(stderr,"ARRRGH\n");	127	fprintf(stderr,"ARRRGH\n");
125	}	128	}
126		129
127	apixel = (char *)gdMalloc(image.cpp+1);
128	if (apixel == NULL)
129	return(0);
130	apixel[image.cpp] = '\0';
131
132	pointer = image.data;	130	pointer = image.data;
133	for(i=0;i<image.height;i++)	131	for(i=0;i<image.height;i++)
134	{	132	{
Lines 138-144 Link Here
138	gdImageSetPixel(im,j,i,colors[k]);	136	gdImageSetPixel(im,j,i,colors[k]);
139	}	137	}
140	}	138	}
141	gdFree(apixel);
142	gdFree(colors);	139	gdFree(colors);
143	return(im);	140	return(im);
144	}	141	}




gdtestttf: gdtestttf.o libgd.a
	$(CC) --verbose gdtestttf.o -o gdtestttf $(LIBDIRS) $(LIBS)

libgd.a: gd.o gd_gd.o gd_gd2.o gd_io.o gd_io_dp.o gd_io_file.o gd_security.o gd_ss.o \
	gd_io_ss.o gd_png.o gd_jpeg.o gdxpm.o gdfontt.o gdfonts.o gdfontmb.o gdfontl.o \
	gdfontg.o gdtables.o gdft.o gdttf.o gdcache.o gdkanji.o wbmp.o \
	gd_wbmp.o gdhelpers.o gd.h gdfontt.h gdfonts.h gdfontmb.h gdfontl.h \
	gdfontg.h gdhelpers.h
	rm -f libgd.a
	$(AR) rc libgd.a gd.o gd_gd.o gd_gd2.o gd_io.o gd_io_dp.o \
		gd_io_file.o gd_security.o gd_ss.o gd_io_ss.o gd_png.o gd_jpeg.o gdxpm.o \
		gdfontt.o gdfonts.o gdfontmb.o gdfontl.o gdfontg.o \
		gdtables.o gdft.o gdttf.o gdcache.o gdkanji.o wbmp.o \
		gd_wbmp.o gdhelpers.o

Return to bug 62666

Added Link Here

(-) (+33 lines)
1	/*
2	* gd_security.c
3	*
4	* Implements buffer overflow check routines.
5	*
6	* Written 2004, Phil Knirsch.
7	* Based on netpbm fixes by Alan Cox.
8	*
9	*/
10
11	#ifdef HAVE_CONFIG_H
12	#include "config.h"
13	#endif
14
15	#include <stdio.h>
16	#include <stdlib.h>
17	#include <limits.h>
18	#include "gd.h"
19
20	int overflow2(int a, int b)
21	{
22	if(a < 0 \|\| b < 0) {
23	fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
24	return 1;
25	}
26	if(b == 0)
27	return 0;
28	if(a > INT_MAX / b) {
29	fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
30	return 1;
31	}
32	return 0;
33	}

Lines 138-151 Link Here

(-)Makefile.security (-2 / +2 lines)
138	gdtestttf: gdtestttf.o libgd.a	138	gdtestttf: gdtestttf.o libgd.a
139	$(CC) --verbose gdtestttf.o -o gdtestttf $(LIBDIRS) $(LIBS)	139	$(CC) --verbose gdtestttf.o -o gdtestttf $(LIBDIRS) $(LIBS)
140		140
141	libgd.a: gd.o gd_gd.o gd_gd2.o gd_io.o gd_io_dp.o gd_io_file.o gd_ss.o \	141	libgd.a: gd.o gd_gd.o gd_gd2.o gd_io.o gd_io_dp.o gd_io_file.o gd_security.o gd_ss.o \
142	gd_io_ss.o gd_png.o gd_jpeg.o gdxpm.o gdfontt.o gdfonts.o gdfontmb.o gdfontl.o \	142	gd_io_ss.o gd_png.o gd_jpeg.o gdxpm.o gdfontt.o gdfonts.o gdfontmb.o gdfontl.o \
143	gdfontg.o gdtables.o gdft.o gdttf.o gdcache.o gdkanji.o wbmp.o \	143	gdfontg.o gdtables.o gdft.o gdttf.o gdcache.o gdkanji.o wbmp.o \
144	gd_wbmp.o gdhelpers.o gd.h gdfontt.h gdfonts.h gdfontmb.h gdfontl.h \	144	gd_wbmp.o gdhelpers.o gd.h gdfontt.h gdfonts.h gdfontmb.h gdfontl.h \
145	gdfontg.h gdhelpers.h	145	gdfontg.h gdhelpers.h
146	rm -f libgd.a	146	rm -f libgd.a
147	$(AR) rc libgd.a gd.o gd_gd.o gd_gd2.o gd_io.o gd_io_dp.o \	147	$(AR) rc libgd.a gd.o gd_gd.o gd_gd2.o gd_io.o gd_io_dp.o \
148	gd_io_file.o gd_ss.o gd_io_ss.o gd_png.o gd_jpeg.o gdxpm.o \	148	gd_io_file.o gd_security.o gd_ss.o gd_io_ss.o gd_png.o gd_jpeg.o gdxpm.o \
149	gdfontt.o gdfonts.o gdfontmb.o gdfontl.o gdfontg.o \	149	gdfontt.o gdfonts.o gdfontmb.o gdfontl.o gdfontg.o \
150	gdtables.o gdft.o gdttf.o gdcache.o gdkanji.o wbmp.o \	150	gdtables.o gdft.o gdttf.o gdcache.o gdkanji.o wbmp.o \
151	gd_wbmp.o gdhelpers.o	151	gd_wbmp.o gdhelpers.o