Commits

Anonymous committed 8b12fb0

- #109, Possible integer overflow in gdImageFill()

  • Participants
  • Parent commits 6b766f0
  • Branches GD-2.0

Comments (0)

Files changed (1)

 		goto done;
 	}
 
+	if(overflow2(im->sy, im->sx)) {
+		return;
+	}
+
+	if(overflow2(sizeof(struct seg), ((im->sy * im->sx) / 4))) {
+		return;
+	}
+
 	stack = (struct seg *)gdMalloc(sizeof(struct seg) * ((int)(im->sy*im->sx)/4));
 	if (!stack) {
 		return;
 	wx2=im->sx;wy2=im->sy;
 	tiled = nc==gdTiled;
 
+	if(overflow2(im->sy, im->sx)) {
+		return;
+	}
+
+	if(overflow2(sizeof(struct seg), ((im->sy * im->sx) / 4))) {
+		return;
+	}
+
 	nc =  gdImageTileGet(im,x,y);
 	pts = (char *) gdCalloc(im->sy * im->sx, sizeof(char));
 	if (!pts) {