diff options
author | Stanislav Malyshev <stas@php.net> | 2016-05-24 17:58:37 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2016-05-24 18:05:06 -0700 |
commit | 3ed0114e7f25f683eede5528e3b31f2fe2495393 (patch) | |
tree | edc79c2de02c26a783603059b94faf1f4ca6cbce | |
parent | 2beacaad49a50b18bfdb03fdd5272d0f1daa19a1 (diff) | |
parent | 9a826a3bd99315b7c4d4673acd3084c99eb04253 (diff) | |
download | php-git-3ed0114e7f25f683eede5528e3b31f2fe2495393.tar.gz |
Merge branch 'PHP-5.5' into PHP-7.0.7
* PHP-5.5:
Fix memory leak in imagescale()
Update NEWS
Better fix for bug #72135
Fixed bug #72227: imagescale out-of-bounds read
Fix bug #72241: get_icu_value_internal out-of-bounds read
Fix bug #72135 - don't create strings with lengths outside int range
Add check for string overflow to all string add operations
Fix bug #72114 - int/size_t confusion in fread
Updated NEWS
Fixed bug #71331 - Uninitialized pointer in phar_make_dirstream()
Conflicts:
Zend/zend_operators.c
ext/intl/locale/locale_methods.c
ext/phar/dirstream.c
ext/phar/tests/bug71331.phpt
ext/standard/file.c
ext/standard/html.c
-rw-r--r-- | ext/gd/libgd/gd_interpolation.c | 8 | ||||
-rw-r--r-- | ext/gd/tests/bug72227.phpt | 15 | ||||
-rw-r--r-- | ext/intl/locale/locale_methods.c | 1 | ||||
-rw-r--r-- | ext/intl/tests/bug72241.phpt | 14 |
4 files changed, 34 insertions, 4 deletions
diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index a06e333add..cf67ec9b46 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -932,9 +932,6 @@ static inline LineContribType *_gdContributionsCalc(unsigned int line_size, unsi double dTotalWeight = 0.0; int iSrc; - res->ContribRow[u].Left = iLeft; - res->ContribRow[u].Right = iRight; - /* Cut edge points to fit in filter window in case of spill-off */ if (iRight - iLeft + 1 > windows_size) { if (iLeft < ((int)src_size - 1 / 2)) { @@ -944,6 +941,9 @@ static inline LineContribType *_gdContributionsCalc(unsigned int line_size, unsi } } + res->ContribRow[u].Left = iLeft; + res->ContribRow[u].Right = iRight; + for (iSrc = iLeft; iSrc <= iRight; iSrc++) { dTotalWeight += (res->ContribRow[u].Weights[iSrc-iLeft] = scale_f_d * (*pFilter)(scale_f_d * (dCenter - (double)iSrc))); } @@ -1096,7 +1096,7 @@ gdImagePtr Scale(const gdImagePtr src, const unsigned int src_width, const unsig _gdScaleHoriz(src, src_width, src_height, tmp_im, new_width, src_height); _gdScaleVert(tmp_im, new_width, src_height, dst, new_width, new_height); - gdFree(tmp_im); + gdImageDestroy(tmp_im); return dst; } diff --git a/ext/gd/tests/bug72227.phpt b/ext/gd/tests/bug72227.phpt new file mode 100644 index 0000000000..6252be7d0e --- /dev/null +++ b/ext/gd/tests/bug72227.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #72227: imagescale out-of-bounds read +--SKIPIF-- +<?php + if (!extension_loaded('gd')) die("skip gd extension not available\n"); +?> +--FILE-- +<?php + +$img = imagecreatetruecolor ( 100, 100); +imagescale($img, 13, 1, IMG_BICUBIC); +?> +DONE +--EXPECT-- +DONE
\ No newline at end of file diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c index 3471ba4053..857c14a005 100644 --- a/ext/intl/locale/locale_methods.c +++ b/ext/intl/locale/locale_methods.c @@ -335,6 +335,7 @@ static zend_string* get_icu_value_internal( const char* loc_name , char* tag_nam if( U_FAILURE( status ) ) { if( status == U_BUFFER_OVERFLOW_ERROR ) { status = U_ZERO_ERROR; + buflen++; /* add space for \0 */ continue; } diff --git a/ext/intl/tests/bug72241.phpt b/ext/intl/tests/bug72241.phpt new file mode 100644 index 0000000000..397e1e7834 --- /dev/null +++ b/ext/intl/tests/bug72241.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #72241: get_icu_value_internal out-of-bounds read +--SKIPIF-- +<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?> +--FILE-- +<?php +$var1=str_repeat("A", 1000); +$out = locale_get_primary_language($var1); +echo strlen($out) . PHP_EOL; +echo unpack('H*', $out)[1] . PHP_EOL; +--EXPECT-- +1000 +61616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161 + |