diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2019-01-10 14:25:53 +0100 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-01-10 14:25:53 +0100 |
| commit | 50ba0149d932f2f068ce6e320b0d43e89718205f (patch) | |
| tree | fbbdcf8a3dbfb084a0957d8a5723979b3244b5a3 | |
| parent | a0d0cb847fb623f1f64abe7ff42f5a6e6c4bfb8c (diff) | |
| parent | 1e407256f2b9fa4122df5c511c9ae492a9050416 (diff) | |
| download | php-git-50ba0149d932f2f068ce6e320b0d43e89718205f.tar.gz | |
Merge branch 'PHP-7.3'
* PHP-7.3:
Fix #77272: imagescale() may return image resource on failure
| -rw-r--r-- | ext/gd/libgd/gd_interpolation.c | 43 | ||||
| -rw-r--r-- | ext/gd/tests/bug77272.phpt | 21 |
2 files changed, 38 insertions, 26 deletions
diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index afe0d7b4bb..d318c44cb7 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -1020,7 +1020,7 @@ static inline void _gdScaleRow(gdImagePtr pSrc, unsigned int src_width, gdImage } } -static inline void _gdScaleHoriz(gdImagePtr pSrc, unsigned int src_width, unsigned int src_height, gdImagePtr pDst, unsigned int dst_width, unsigned int dst_height) +static inline int _gdScaleHoriz(gdImagePtr pSrc, unsigned int src_width, unsigned int src_height, gdImagePtr pDst, unsigned int dst_width, unsigned int dst_height) { unsigned int u; LineContribType * contrib; @@ -1035,13 +1035,14 @@ static inline void _gdScaleHoriz(gdImagePtr pSrc, unsigned int src_width, unsign contrib = _gdContributionsCalc(dst_width, src_width, (double)dst_width / (double)src_width, pSrc->interpolation); if (contrib == NULL) { - return; + return 0; } /* Scale each row */ for (u = 0; u < dst_height - 1; u++) { _gdScaleRow(pSrc, src_width, pDst, dst_width, u, contrib); } _gdContributionsFree (contrib); + return 1; } static inline void _gdScaleCol (gdImagePtr pSrc, unsigned int src_width, gdImagePtr pRes, unsigned int dst_width, unsigned int dst_height, unsigned int uCol, LineContribType *contrib) @@ -1066,7 +1067,7 @@ static inline void _gdScaleCol (gdImagePtr pSrc, unsigned int src_width, gdImag } } -static inline void _gdScaleVert (const gdImagePtr pSrc, const unsigned int src_width, const unsigned int src_height, const gdImagePtr pDst, const unsigned int dst_width, const unsigned int dst_height) +static inline int _gdScaleVert (const gdImagePtr pSrc, const unsigned int src_width, const unsigned int src_height, const gdImagePtr pDst, const unsigned int dst_width, const unsigned int dst_height) { unsigned int u; LineContribType * contrib; @@ -1081,19 +1082,21 @@ static inline void _gdScaleVert (const gdImagePtr pSrc, const unsigned int src_w contrib = _gdContributionsCalc(dst_height, src_height, (double)(dst_height) / (double)(src_height), pSrc->interpolation); if (contrib == NULL) { - return; + return 0; } /* scale each column */ for (u = 0; u < dst_width - 1; u++) { _gdScaleCol(pSrc, src_width, pDst, dst_width, dst_height, u, contrib); } _gdContributionsFree(contrib); + return 1; } gdImagePtr gdImageScaleTwoPass(const gdImagePtr src, const unsigned int src_width, const unsigned int src_height, const unsigned int new_width, const unsigned int new_height) { gdImagePtr tmp_im; gdImagePtr dst; + int scale_pass_res; if (new_width == 0 || new_height == 0) { return NULL; @@ -1109,7 +1112,11 @@ gdImagePtr gdImageScaleTwoPass(const gdImagePtr src, const unsigned int src_widt return NULL; } gdImageSetInterpolationMethod(tmp_im, src->interpolation_id); - _gdScaleHoriz(src, src_width, src_height, tmp_im, new_width, src_height); + scale_pass_res = _gdScaleHoriz(src, src_width, src_height, tmp_im, new_width, src_height); + if (scale_pass_res != 1) { + gdImageDestroy(tmp_im); + return NULL; + } dst = gdImageCreateTrueColor(new_width, new_height); if (dst == NULL) { @@ -1117,30 +1124,14 @@ gdImagePtr gdImageScaleTwoPass(const gdImagePtr src, const unsigned int src_widt return NULL; } gdImageSetInterpolationMethod(dst, src->interpolation_id); - _gdScaleVert(tmp_im, new_width, src_height, dst, new_width, new_height); - gdImageDestroy(tmp_im); - - return dst; -} - -gdImagePtr Scale(const gdImagePtr src, const unsigned int src_width, const unsigned int src_height, const gdImagePtr dst, const unsigned int new_width, const unsigned int new_height) -{ - gdImagePtr tmp_im; - - if (new_width == 0 || new_height == 0) { - return NULL; - } - - tmp_im = gdImageCreateTrueColor(new_width, src_height); - if (tmp_im == NULL) { + scale_pass_res = _gdScaleVert(tmp_im, new_width, src_height, dst, new_width, new_height); + if (scale_pass_res != 1) { + gdImageDestroy(dst); + gdImageDestroy(tmp_im); return NULL; } - gdImageSetInterpolationMethod(tmp_im, src->interpolation_id); - - _gdScaleHoriz(src, src_width, src_height, tmp_im, new_width, src_height); - _gdScaleVert(tmp_im, new_width, src_height, dst, new_width, new_height); - gdImageDestroy(tmp_im); + return dst; } diff --git a/ext/gd/tests/bug77272.phpt b/ext/gd/tests/bug77272.phpt new file mode 100644 index 0000000000..e3423da543 --- /dev/null +++ b/ext/gd/tests/bug77272.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug #77272 (imagescale() may return image resource on failure) +--INI-- +memory_limit=-1 +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +if (!GD_BUNGLED && version_compare(GD_VERSION, '2.2.5', '<=')) die('skip upstream fix not yet released'); +if (getenv("SKIP_SLOW_TESTS")) die("skip slow test"); +?> +--FILE-- +<?php +$img = imagecreate(2**28, 1); +var_dump(imagescale($img, 1, 1, IMG_TRIANGLE)); +?> +===DONE=== +--EXPECTF-- +Warning: imagescale():%S product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully + in %s on line %d +bool(false) +===DONE=== |