diff options
| author | Pierre Joye <pierre.php@gmail.com> | 2016-07-19 13:37:23 +0700 |
|---|---|---|
| committer | Pierre Joye <pierre.php@gmail.com> | 2016-07-19 13:37:23 +0700 |
| commit | 0fbcff1b35c1005b8d2cdfd33184867912d9d83a (patch) | |
| tree | bac7c23cc39c1f2ad3015a7122c06b7f5d351e9b | |
| parent | fe1d6feb3dfa1eebd69a82c8000d2095b4e8a531 (diff) | |
| download | php-git-0fbcff1b35c1005b8d2cdfd33184867912d9d83a.tar.gz | |
fix #72512, invalid read or write for palette image when invalid transparent index is used
| -rw-r--r-- | ext/gd/libgd/gd.c | 13 | ||||
| -rw-r--r-- | ext/gd/libgd/gd_interpolation.c | 8 | ||||
| -rw-r--r-- | ext/gd/tests/bug72512.phpt | 17 |
3 files changed, 32 insertions, 6 deletions
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c index 4dad95ae39..927ecc5439 100644 --- a/ext/gd/libgd/gd.c +++ b/ext/gd/libgd/gd.c @@ -599,15 +599,18 @@ void gdImageColorDeallocate (gdImagePtr im, int color) void gdImageColorTransparent (gdImagePtr im, int color) { + if (color < 0) { + return; + } if (!im->trueColor) { + if((color >= im->colorsTotal)) { + return; + } + /* Make the old transparent color opaque again */ if (im->transparent != -1) { im->alpha[im->transparent] = gdAlphaOpaque; } - if (color > -1 && color < im->colorsTotal && color < gdMaxColors) { - im->alpha[color] = gdAlphaTransparent; - } else { - return; - } + im->alpha[color] = gdAlphaTransparent; } im->transparent = color; } diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index 4fa23f0a14..81ea88525a 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -1225,7 +1225,13 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int if (new_img == NULL) { return NULL; } - new_img->transparent = gdTrueColorAlpha(im->red[transparent], im->green[transparent], im->blue[transparent], im->alpha[transparent]); + + if (transparent < 0) { + /* uninitialized */ + new_img->transparent = -1; + } else { + new_img->transparent = gdTrueColorAlpha(im->red[transparent], im->green[transparent], im->blue[transparent], im->alpha[transparent]); + } for (i=0; i < _height; i++) { long j; diff --git a/ext/gd/tests/bug72512.phpt b/ext/gd/tests/bug72512.phpt new file mode 100644 index 0000000000..2a2024d4cb --- /dev/null +++ b/ext/gd/tests/bug72512.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #19366 (gdimagefill() function crashes (fixed in bundled libgd)) +--SKIPIF-- +<?php + if (!extension_loaded('gd')) die("skip gd extension not available\n"); +?> +--FILE-- +<?php +$img = imagecreatetruecolor(100, 100); +imagecolortransparent($img, -1000000); +imagetruecolortopalette($img, TRUE, 3); +imagecolortransparent($img, 9); +echo "OK"; +?> +--EXPECT-- +OK + |