diff options
| author | Scott MacVicar <scottmac@php.net> | 2008-12-10 13:32:02 +0000 |
|---|---|---|
| committer | Scott MacVicar <scottmac@php.net> | 2008-12-10 13:32:02 +0000 |
| commit | fdb9b62cef6eebf0e941b17f60bef30364c7fcdb (patch) | |
| tree | 27a1fb5746edf5a2bdac771bdba0e97c660f48d2 | |
| parent | bd266a5bbf1e667bfa030137ef25df51b6c3b6f0 (diff) | |
| download | php-git-fdb9b62cef6eebf0e941b17f60bef30364c7fcdb.tar.gz | |
MFH Fix segfault and potential security issue in imagerotate().
| -rw-r--r-- | ext/gd/libgd/gd.c | 2 | ||||
| -rw-r--r-- | ext/gd/tests/imagerotate_overflow.phpt | 32 |
2 files changed, 33 insertions, 1 deletions
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c index d00c697016..a2677c11dd 100644 --- a/ext/gd/libgd/gd.c +++ b/ext/gd/libgd/gd.c @@ -3136,7 +3136,7 @@ gdImagePtr gdImageRotate (gdImagePtr src, double dAngle, int clrBack, int ignore return NULL; } - if (!gdImageTrueColor(src) && clrBack>=gdImageColorsTotal(src)) { + if (!gdImageTrueColor(src) && (clrBack < 0 || clrBack>=gdImageColorsTotal(src))) { return NULL; } diff --git a/ext/gd/tests/imagerotate_overflow.phpt b/ext/gd/tests/imagerotate_overflow.phpt new file mode 100644 index 0000000000..ade61d8f80 --- /dev/null +++ b/ext/gd/tests/imagerotate_overflow.phpt @@ -0,0 +1,32 @@ +--TEST-- +imagerotate() overflow with negative numbers +--SKIPIF-- +<?php + if (!extension_loaded('gd')) { + die("skip gd extension not available."); + } + + if (!function_exists('imagerotate')) { + die("skip imagerotate() not available."); + } +?> +--FILE-- +<?php + +$im = imagecreate(10, 10); + +$tmp = imagerotate ($im, 5, -9999999); + +var_dump($tmp); + +if ($tmp) { + imagedestroy($tmp); +} + +if ($im) { + imagedestroy($im); +} + +?> +--EXPECT-- +bool(false) |