diff options
| author | Pierre Joye <pierre.php@gmail.com> | 2016-07-19 13:44:11 +0700 |
|---|---|---|
| committer | Pierre Joye <pierre.php@gmail.com> | 2016-07-19 13:44:11 +0700 |
| commit | 6434fc9d2bc0dc497dc438f0316b9448ae6c81b6 (patch) | |
| tree | af715e3e6d1c1a17c38d5759d5903503d13a1147 | |
| parent | 88d86aeb539ef68c0772abc868b70519e7b06a2f (diff) | |
| parent | 740661bd7a4aff947acf4b7c505650eb1fd5dceb (diff) | |
| download | php-git-6434fc9d2bc0dc497dc438f0316b9448ae6c81b6.tar.gz | |
Merge branch 'PHP-7.0'
* PHP-7.0:
fix #72512, invalid read or write for palette image when invalid transparent index is used
| -rw-r--r-- | ext/gd/libgd/gd.c | 13 | ||||
| -rw-r--r-- | ext/gd/libgd/gd_interpolation.c | 8 | ||||
| -rw-r--r-- | ext/gd/tests/bug72512.phpt | 17 |
3 files changed, 32 insertions, 6 deletions
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c index 6f71cc183a..73548062bb 100644 --- a/ext/gd/libgd/gd.c +++ b/ext/gd/libgd/gd.c @@ -597,15 +597,18 @@ void gdImageColorDeallocate (gdImagePtr im, int color) void gdImageColorTransparent (gdImagePtr im, int color) { + if (color < 0) { + return; + } if (!im->trueColor) { + if((color >= im->colorsTotal)) { + return; + } + /* Make the old transparent color opaque again */ if (im->transparent != -1) { im->alpha[im->transparent] = gdAlphaOpaque; } - if (color > -1 && color < im->colorsTotal && color < gdMaxColors) { - im->alpha[color] = gdAlphaTransparent; - } else { - return; - } + im->alpha[color] = gdAlphaTransparent; } im->transparent = color; } diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index 83319966f9..fb34982582 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -1244,7 +1244,13 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int if (new_img == NULL) { return NULL; } - new_img->transparent = gdTrueColorAlpha(im->red[transparent], im->green[transparent], im->blue[transparent], im->alpha[transparent]); + + if (transparent < 0) { + /* uninitialized */ + new_img->transparent = -1; + } else { + new_img->transparent = gdTrueColorAlpha(im->red[transparent], im->green[transparent], im->blue[transparent], im->alpha[transparent]); + } for (i=0; i < _height; i++) { long j; diff --git a/ext/gd/tests/bug72512.phpt b/ext/gd/tests/bug72512.phpt new file mode 100644 index 0000000000..2a2024d4cb --- /dev/null +++ b/ext/gd/tests/bug72512.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #19366 (gdimagefill() function crashes (fixed in bundled libgd)) +--SKIPIF-- +<?php + if (!extension_loaded('gd')) die("skip gd extension not available\n"); +?> +--FILE-- +<?php +$img = imagecreatetruecolor(100, 100); +imagecolortransparent($img, -1000000); +imagetruecolortopalette($img, TRUE, 3); +imagecolortransparent($img, 9); +echo "OK"; +?> +--EXPECT-- +OK + |