- check max colors while loading gd2 palette image (patch by Tomas Hoger)

3 files changed, 19 insertions, 0 deletions

diff --git a/ext/gd/libgd/gd_gd.c b/ext/gd/libgd/gd_gd.c
index 55587d43e8..81a957d414 100644
--- a/ext/gd/libgd/gd_gd.c
+++ b/ext/gd/libgd/gd_gd.c
@@ -39,6 +39,9 @@ int _gdGetColors (gdIOCtx * in, gdImagePtr im, int gd2xFlag)
 			if (!gdGetWord(&im->colorsTotal, in)) {
 				goto fail1;
 			}
+			if (im->colorsTotal > gdMaxColors) {
+				goto fail1;
+			}
 		}
 		/* Int to accommodate truecolor single-color transparency */
 		if (!gdGetInt(&im->transparent, in)) {
diff --git a/ext/gd/tests/crafted.gd2 b/ext/gd/tests/crafted.gd2
new file mode 100644
index 0000000000..45c944cc29
--- /dev/null
+++ b/ext/gd/tests/crafted.gd2
diff --git a/ext/gd/tests/crafted_gd2.phpt b/ext/gd/tests/crafted_gd2.phpt
new file mode 100644
index 0000000000..7bcbc4e68b
--- /dev/null
+++ b/ext/gd/tests/crafted_gd2.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Test max colors for a gd image.
+--SKIPIF--
+<?php
+	if (!extension_loaded('gd')) {
+		die("skip gd extension not available\n");
+	}
+?>
+--FILE--
+<?php
+imagecreatefromgd(dirname(__FILE__) . '/crafted.gd2');
+?>
+--EXPECTF--
+
+Warning: imagecreatefromgd(): '%scrafted.gd2' is not a valid GD file in %s on line %d
+