From 46df0642618eabc5b5b7df490d1ae23bda00a745 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 16 Sep 2016 11:31:21 +0200
Subject: [PATCH] Fix #73003: Integer Overflow in gdImageWebpCtx of gd_webp.c

We add the missing integer overflow check to avoid potential buffer overflows.
---
 NEWS                   | 2 ++
 ext/gd/libgd/gd_webp.c | 9 +++++++++
 2 files changed, 11 insertions(+)

diff --git a/NEWS b/NEWS
index 63a6800ba76..ef6cb570abc 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,8 @@ PHP                                                                        NEWS
     (cmb)
   . Fixed bug #50194 (imagettftext broken on transparent background w/o
     alphablending). (cmb)
+  . Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c). (trylab,
+    cmb)
 
 - Mbstring:
   . Fixed bug #72994 (mbc_to_code() out of bounds read). (Laruence, cmb)
diff --git a/ext/gd/libgd/gd_webp.c b/ext/gd/libgd/gd_webp.c
index bf9ac9dd0e1..985187edc26 100644
--- a/ext/gd/libgd/gd_webp.c
+++ b/ext/gd/libgd/gd_webp.c
@@ -180,6 +180,15 @@ void gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quantization)
 	/* Conversion to Y,U,V buffer */
     yuv_width = (width + 1) >> 1;
     yuv_height = (height + 1) >> 1;
+
+	if (overflow2(width, height)) {
+		return;
+	}
+	/* simplification possible, because WebP must not be larger than 16384**2 */
+	if (overflow2(width * height, 2 * sizeof(unsigned char))) {
+		return;
+	}
+
     yuv_nbytes = width * height + 2 * yuv_width * yuv_height;
 
     if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) {