Fix #73003: Integer Overflow in gdImageWebpCtx of gd_webp.c

We add the missing integer overflow check to avoid potential buffer overflows.
2026-03-26 09:12:14 +01:00 · 2016-09-16 11:31:21 +02:00
parent 3c117d4136
commit 46df064261
2 changed files with 11 additions and 0 deletions
--- a/2
+++ b/2
@@ -22,6 +22,8 @@ PHP                                                                        NEWS
    (cmb)
  . Fixed bug #50194 (imagettftext broken on transparent background w/o
    alphablending). (cmb)
+  . Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c). (trylab,
+    cmb)

 - Mbstring:
  . Fixed bug #72994 (mbc_to_code() out of bounds read). (Laruence, cmb)
--- a/ext/gd/libgd/gd_webp.c
+++ b/ext/gd/libgd/gd_webp.c
@@ -180,6 +180,15 @@ void gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quantization)
 	/* Conversion to Y,U,V buffer */
    yuv_width = (width + 1) >> 1;
    yuv_height = (height + 1) >> 1;
+
+	if (overflow2(width, height)) {
+		return;
+	}
+	/* simplification possible, because WebP must not be larger than 16384**2 */
+	if (overflow2(width * height, 2 * sizeof(unsigned char))) {
+		return;
+	}
+
    yuv_nbytes = width * height + 2 * yuv_width * yuv_height;

    if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) {