Fix #73279: Integer overflow in gdImageScaleBilinearPalette()

The color components are supposed to be in range 0..255, so we must not
cast them to `signed char`, what can be the default for `char`.

Port of <https://github.com/libgd/libgd/commit/77c8d359>.

4 files changed, 47 insertions, 4 deletions

diff --git a/NEWS b/NEWS
index a41168d066..9fc658ec7b 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ PHP                                                                        NEWS
   . Fixed bug #73213 (Integer overflow in imageline() with antialiasing). (cmb)
   . Fixed bug #73272 (imagescale() is not affected by, but affects
     imagesetinterpolation()). (cmb)
+  . Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()). (cmb)
 
 - Standard:
   . Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb)
diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c
index 4c11213a8e..1c151b5509 100644
--- a/ext/gd/libgd/gd_interpolation.c
+++ b/ext/gd/libgd/gd_interpolation.c
@@ -1331,10 +1331,10 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int
 			f_a4 = gd_itofx(gdTrueColorGetAlpha(pixel4));
 
 			{
-				const char red = (char) gd_fxtoi(gd_mulfx(f_w1, f_r1) + gd_mulfx(f_w2, f_r2) + gd_mulfx(f_w3, f_r3) + gd_mulfx(f_w4, f_r4));
-				const char green = (char) gd_fxtoi(gd_mulfx(f_w1, f_g1) + gd_mulfx(f_w2, f_g2) + gd_mulfx(f_w3, f_g3) + gd_mulfx(f_w4, f_g4));
-				const char blue = (char) gd_fxtoi(gd_mulfx(f_w1, f_b1) + gd_mulfx(f_w2, f_b2) + gd_mulfx(f_w3, f_b3) + gd_mulfx(f_w4, f_b4));
-				const char alpha = (char) gd_fxtoi(gd_mulfx(f_w1, f_a1) + gd_mulfx(f_w2, f_a2) + gd_mulfx(f_w3, f_a3) + gd_mulfx(f_w4, f_a4));
+				const unsigned char red = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_r1) + gd_mulfx(f_w2, f_r2) + gd_mulfx(f_w3, f_r3) + gd_mulfx(f_w4, f_r4));
+				const unsigned char green = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_g1) + gd_mulfx(f_w2, f_g2) + gd_mulfx(f_w3, f_g3) + gd_mulfx(f_w4, f_g4));
+				const unsigned char blue = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_b1) + gd_mulfx(f_w2, f_b2) + gd_mulfx(f_w3, f_b3) + gd_mulfx(f_w4, f_b4));
+				const unsigned char alpha = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_a1) + gd_mulfx(f_w2, f_a2) + gd_mulfx(f_w3, f_a3) + gd_mulfx(f_w4, f_a4));
 
 				new_img->tpixels[dst_offset_v][dst_offset_h] = gdTrueColorAlpha(red, green, blue, alpha);
 			}
diff --git a/ext/gd/tests/bug73279.phpt b/ext/gd/tests/bug73279.phpt
new file mode 100644
index 0000000000..e6c6709039
--- /dev/null
+++ b/ext/gd/tests/bug73279.phpt
@@ -0,0 +1,20 @@
+--TEST--

+Bug #73279 (Integer overflow in gdImageScaleBilinearPalette())

+--SKIPIF--

+<?php

+if (!extension_loaded('gd')) die('skip gd extension not available');

+if (!GD_BUNDLED && version_compare(GD_VERSION, '2.2.4', '<')) {

+    die('skip only for bundled libgd or external libgd >= 2.2.4');

+}

+?>

+--FILE--

+<?php

+$src = imagecreate(100, 100);

+imagecolorallocate($src, 255, 255, 255);

+$dst = imagescale($src, 200, 200, IMG_BILINEAR_FIXED);

+printf("color: %x\n", imagecolorat($dst, 99, 99));

+?>

+===DONE===

+--EXPECT--

+color: ffffff

+===DONE===

diff --git a/ext/gd/tests/bug73279_old.phpt b/ext/gd/tests/bug73279_old.phpt
new file mode 100644
index 0000000000..0cbbec34f2
--- /dev/null
+++ b/ext/gd/tests/bug73279_old.phpt
@@ -0,0 +1,22 @@
+--TEST--

+Bug #73279 (Integer overflow in gdImageScaleBilinearPalette())

+--SKIPIF--

+<?php

+if (!extension_loaded('gd')) die('skip gd extension not available');

+if (GD_BUNDLED || version_compare(GD_VERSION, '2.2.4', '>=')) {

+    die('skip only for external libgd < 2.2.4');

+}

+?>

+--FILE--

+<?php

+$src = imagecreate(100, 100);

+imagecolorallocate($src, 255, 255, 255);

+$dst = imagescale($src, 200, 200, IMG_BILINEAR_FIXED);

+printf("color: %x\n", imagecolorat($dst, 99, 99));

+?>

+===DONE===

+--XFAIL--

+Bug #330 has not yet been fixed

+--EXPECT--

+color: ffffff

+===DONE===