diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-05-23 00:28:02 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-05-23 00:34:35 -0700 |
| commit | 7a1aac3343af85b4af4df5f8844946eaa27394ab (patch) | |
| tree | 34bf6a193c7ab7784d59149a4793d5cf2d8051c8 | |
| parent | 97eff7eb57fc2320c267a949cffd622c38712484 (diff) | |
| download | php-git-7a1aac3343af85b4af4df5f8844946eaa27394ab.tar.gz | |
Fixed bug #72227: imagescale out-of-bounds read
Ported from https://github.com/libgd/libgd/commit/4f65a3e4eedaffa1efcf9ee1eb08f0b504fbc31a
| -rw-r--r-- | ext/gd/libgd/gd_interpolation.c | 16 | ||||
| -rw-r--r-- | ext/gd/tests/bug72227.phpt | 15 |
2 files changed, 23 insertions, 8 deletions
diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index 6b7360a6de..a017498383 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -39,8 +39,8 @@ downscaling using the fixed point implementations are usually much faster than the existing gdImageCopyResampled while having a similar or better quality. - - For image rotations, the optimized versions have a lazy antialiasing for + + For image rotations, the optimized versions have a lazy antialiasing for the edges of the images. For a much better antialiased result, the affine function is recommended. */ @@ -633,7 +633,7 @@ static inline int _color_blend (const int dst, const int src) } } -static inline int _setEdgePixel(const gdImagePtr src, unsigned int x, unsigned int y, gdFixed coverage, const int bgColor) +static inline int _setEdgePixel(const gdImagePtr src, unsigned int x, unsigned int y, gdFixed coverage, const int bgColor) { const gdFixed f_127 = gd_itofx(127); register int c = src->tpixels[y][x]; @@ -934,9 +934,6 @@ static inline LineContribType *_gdContributionsCalc(unsigned int line_size, unsi double dTotalWeight = 0.0; int iSrc; - res->ContribRow[u].Left = iLeft; - res->ContribRow[u].Right = iRight; - /* Cut edge points to fit in filter window in case of spill-off */ if (iRight - iLeft + 1 > windows_size) { if (iLeft < ((int)src_size - 1 / 2)) { @@ -946,6 +943,9 @@ static inline LineContribType *_gdContributionsCalc(unsigned int line_size, unsi } } + res->ContribRow[u].Left = iLeft; + res->ContribRow[u].Right = iRight; + for (iSrc = iLeft; iSrc <= iRight; iSrc++) { dTotalWeight += (res->ContribRow[u].Weights[iSrc-iLeft] = scale_f_d * (*pFilter)(scale_f_d * (dCenter - (double)iSrc))); } @@ -2273,7 +2273,7 @@ int gdTransformAffineGetImage(gdImagePtr *dst, if (!src->trueColor) { gdImagePaletteToTrueColor(src); } - + /* Translate to dst origin (0,0) */ gdAffineTranslate(m, -bbox.x, -bbox.y); gdAffineConcat(m, affine, m); @@ -2332,7 +2332,7 @@ int gdTransformAffineCopy(gdImagePtr dst, if (src->interpolation_id == GD_BILINEAR_FIXED || src->interpolation_id == GD_BICUBIC_FIXED || src->interpolation_id == GD_NEAREST_NEIGHBOUR) { interpolation_id_bak = src->interpolation_id; interpolation_bak = src->interpolation; - + gdImageSetInterpolationMethod(src, GD_BICUBIC); } diff --git a/ext/gd/tests/bug72227.phpt b/ext/gd/tests/bug72227.phpt new file mode 100644 index 0000000000..6252be7d0e --- /dev/null +++ b/ext/gd/tests/bug72227.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #72227: imagescale out-of-bounds read +--SKIPIF-- +<?php + if (!extension_loaded('gd')) die("skip gd extension not available\n"); +?> +--FILE-- +<?php + +$img = imagecreatetruecolor ( 100, 100); +imagescale($img, 13, 1, IMG_BICUBIC); +?> +DONE +--EXPECT-- +DONE
\ No newline at end of file |