There is an integer overflow in PHP in ext/gd/libgd/wbmp.c in the
function readwbmp. If large enough values are specified for wbmp image
height and/or width, so that width*height > 2^32, an integer overflow
occurs on the following line
if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->he...
function readwbmp. If large enough values are specified for wbmp image
height and/or width, so that width*height > 2^32, an integer overflow
occurs on the following line
if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->he...
[ more ]