- #109, Possible integer overflow in gdImageFill()
mattias
parent
ad0d83431f
commit
5008306b0d
16
src/gd.c
16
src/gd.c
|
|
@ -1954,6 +1954,14 @@ BGD_DECLARE(void) gdImageFill(gdImagePtr im, int x, int y, int nc)
|
|||
goto done;
|
||||
}
|
||||
|
||||
if(overflow2(im->sy, im->sx)) {
|
||||
return;
|
||||
}
|
||||
|
||||
if(overflow2(sizeof(struct seg), ((im->sy * im->sx) / 4))) {
|
||||
return;
|
||||
}
|
||||
|
||||
stack = (struct seg *)gdMalloc(sizeof(struct seg) * ((int)(im->sy*im->sx)/4));
|
||||
if (!stack) {
|
||||
return;
|
||||
|
|
@ -2019,6 +2027,14 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
|
|||
wx2=im->sx;wy2=im->sy;
|
||||
tiled = nc==gdTiled;
|
||||
|
||||
if(overflow2(im->sy, im->sx)) {
|
||||
return;
|
||||
}
|
||||
|
||||
if(overflow2(sizeof(struct seg), ((im->sy * im->sx) / 4))) {
|
||||
return;
|
||||
}
|
||||
|
||||
nc = gdImageTileGet(im,x,y);
|
||||
pts = (char *) gdCalloc(im->sy * im->sx, sizeof(char));
|
||||
if (!pts) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue