Skip to content

Commit f50c41e

Browse files
devnexendevnexen
committed
Fix GH-19790: integer overflowq in imagerectangle
1 parent f6f1748 commit f50c41e

File tree

1 file changed

+21
-5
lines changed

1 file changed

+21
-5
lines changed

ext/gd/libgd/gd.c

Lines changed: 21 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -712,13 +712,17 @@ void gdImagePaletteCopy (gdImagePtr to, gdImagePtr from)
712712
*/
713713

714714
static int clip_1d(int *x0, int *y0, int *x1, int *y1, int maxdim) {
715-
double m; /* gradient of line */
715+
double m, tmp; /* gradient of line */
716716

717717
if (*x0 < 0) { /* start of line is left of window */
718718
if(*x1 < 0) { /* as is the end, so the line never cuts the window */
719719
return 0;
720720
}
721-
m = (*y1 - *y0)/(double)(*x1 - *x0); /* calculate the slope of the line */
721+
tmp = (double)*x1 - (double)*x0;
722+
if (tmp < (double)INT_MIN || tmp == 0.0 || tmp > (double)INT_MAX) {
723+
return 0;
724+
}
725+
m = (*y1 - *y0)/tmp; /* calculate the slope of the line */
722726
/* adjust x0 to be on the left boundary (ie to be zero), and y0 to match */
723727
*y0 -= (int)(m * *x0);
724728
*x0 = 0;
@@ -733,7 +737,11 @@ static int clip_1d(int *x0, int *y0, int *x1, int *y1, int maxdim) {
733737
if (*x1 > maxdim) { /* as is the end, so the line misses the window */
734738
return 0;
735739
}
736-
m = (*y1 - *y0)/(double)(*x1 - *x0); /* calculate the slope of the line */
740+
tmp = (double)*x1 - (double)*x0;
741+
if (tmp < (double)INT_MIN || tmp == 0.0 || tmp > (double)INT_MAX) {
742+
return 0;
743+
}
744+
m = (*y1 - *y0)/tmp; /* calculate the slope of the line */
737745
*y0 += (int)(m * (maxdim - *x0)); /* adjust so point is on the right boundary */
738746
*x0 = maxdim;
739747
/* now, perhaps, adjust the end of the line */
@@ -745,13 +753,21 @@ static int clip_1d(int *x0, int *y0, int *x1, int *y1, int maxdim) {
745753
}
746754
/* the final case - the start of the line is inside the window */
747755
if (*x1 > maxdim) { /* other end is outside to the right */
748-
m = (*y1 - *y0)/(double)(*x1 - *x0); /* calculate the slope of the line */
756+
tmp = (double)*x1 - (double)*x0;
757+
if (tmp < (double)INT_MIN || tmp == 0.0 || tmp > (double)INT_MAX) {
758+
return 0;
759+
}
760+
m = (*y1 - *y0)/tmp; /* calculate the slope of the line */
749761
*y1 += (int)(m * (maxdim - *x1));
750762
*x1 = maxdim;
751763
return 1;
752764
}
753765
if (*x1 < 0) { /* other end is outside to the left */
754-
m = (*y1 - *y0)/(double)(*x1 - *x0); /* calculate the slope of the line */
766+
tmp = (double)*x1 - (double)*x0;
767+
if (tmp < (double)INT_MIN || tmp == 0.0 || tmp > (double)INT_MAX) {
768+
return 0;
769+
}
770+
m = (*y1 - *y0)/tmp; /* calculate the slope of the line */
755771
*y1 -= (int)(m * *x1);
756772
*x1 = 0;
757773
return 1;

0 commit comments

Comments
 (0)