Index: ext/gd/gd.c =================================================================== RCS file: /repository/php-src/ext/gd/gd.c,v retrieving revision 1.312.2.20.2.28 diff -u -p -d -r1.312.2.20.2.28 gd.c --- ext/gd/gd.c 3 Jun 2007 17:46:18 -0000 1.312.2.20.2.28 +++ ext/gd/gd.c 5 Jun 2007 21:00:49 -0000 @@ -1740,6 +1740,10 @@ PHP_FUNCTION(imagecreatetruecolor) im = gdImageCreateTrueColor(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size)); + if (!im) { + RETURN_FALSE; + } + ZEND_REGISTER_RESOURCE(return_value, im, le_gd); } /* }}} */ @@ -2350,6 +2354,10 @@ PHP_FUNCTION(imagecreate) im = gdImageCreate(Z_LVAL_PP(x_size), Z_LVAL_PP(y_size)); + if (!im) { + RETURN_FALSE; + } + ZEND_REGISTER_RESOURCE(return_value, im, le_gd); } /* }}} */ Index: ext/gd/libgd/gd.c =================================================================== RCS file: /repository/php-src/ext/gd/libgd/gd.c,v retrieving revision 1.90.2.1.2.11 diff -u -p -d -r1.90.2.1.2.11 gd.c --- ext/gd/libgd/gd.c 14 Apr 2007 17:33:15 -0000 1.90.2.1.2.11 +++ ext/gd/libgd/gd.c 5 Jun 2007 21:00:50 -0000 @@ -120,6 +120,15 @@ gdImagePtr gdImageCreate (int sx, int sy { int i; gdImagePtr im; + + if (overflow2(sx, sy)) { + return NULL; + } + + if (overflow2(sizeof(unsigned char *), sy)) { + return NULL; + } + im = (gdImage *) gdMalloc(sizeof(gdImage)); memset(im, 0, sizeof(gdImage)); /* Row-major ever since gd 1.3 */ @@ -162,6 +171,19 @@ gdImagePtr gdImageCreateTrueColor (int s { int i; gdImagePtr im; + + if (overflow2(sx, sy)) { + return NULL; + } + + if (overflow2(sizeof(unsigned char *), sy)) { + return NULL; + } + + if (overflow2(sizeof(int), sx)) { + return NULL; + } + im = (gdImage *) gdMalloc(sizeof(gdImage)); memset(im, 0, sizeof(gdImage)); im->tpixels = (int **) gdMalloc(sizeof(int *) * sy); @@ -2404,6 +2426,14 @@ void gdImageCopyResized (gdImagePtr dst, int *stx, *sty; /* We only need to use floating point to determine the correct stretch vector for one line's worth. */ double accum; + + if (overflow2(sizeof(int), srcW)) { + return; + } + if (overflow2(sizeof(int), srcH)) { + return; + } + stx = (int *) gdMalloc (sizeof (int) * srcW); sty = (int *) gdMalloc (sizeof (int) * srcH); accum = 0; @@ -3195,6 +3225,10 @@ void gdImageFilledPolygon (gdImagePtr im return; } + if (overflow2(sizeof(int), n)) { + return; + } + if (c == gdAntiAliased) { fill_color = im->AA_color; } else { @@ -3209,6 +3243,9 @@ void gdImageFilledPolygon (gdImagePtr im while (im->polyAllocated < n) { im->polyAllocated *= 2; } + if (overflow2(sizeof(int), im->polyAllocated)) { + return; + } im->polyInts = (int *) gdRealloc(im->polyInts, sizeof(int) * im->polyAllocated); } miny = p[0].y;