diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2017-01-21 01:21:03 +0100 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2017-01-21 13:04:36 +0100 |
commit | f67d599a0179d0895170c77188847ae60b497714 (patch) | |
tree | 747c8c3badfbe3beaaaf57cc50450852d13e1464 | |
parent | 8da87563122e4d14208b2827fd6b2807578677ec (diff) | |
download | php-git-f67d599a0179d0895170c77188847ae60b497714.tar.gz |
Fix #73968: Premature failing of XBM reading
We must take into account the line padding, when we're reading XBM
files.
We deliberately ignore the potential integer overflow here, because
that would be caught by gdImageCreate() or even earlier if `bytes==0`,
what happens in libgd00094.phpt which we adapt accordingly.
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | ext/gd/libgd/xbm.c | 2 | ||||
-rw-r--r-- | ext/gd/tests/bug73968.phpt | 15 | ||||
-rw-r--r-- | ext/gd/tests/bug73968.xbm | 5 | ||||
-rw-r--r-- | ext/gd/tests/libgd00094.phpt | 3 |
5 files changed, 24 insertions, 4 deletions
@@ -15,6 +15,9 @@ PHP NEWS . Fixed bug #67583 (double fastcgi_end_request on max_children limit). (Dmitry Saprykin) +- GD: + . Fixed bug #73968 (Premature failing of XBM reading). (cmb) + - GMP: . Fixed bug #69993 (test for gmp.h needs to test machine includes). (Jordan Gigov) diff --git a/ext/gd/libgd/xbm.c b/ext/gd/libgd/xbm.c index 88d27a9c93..044159db12 100644 --- a/ext/gd/libgd/xbm.c +++ b/ext/gd/libgd/xbm.c @@ -77,7 +77,7 @@ gdImagePtr gdImageCreateFromXbm(FILE * fd) max_bit = 32768; } if (max_bit) { - bytes = (width * height / 8) + 1; + bytes = (width + 7) / 8 * height; if (!bytes) { return 0; } diff --git a/ext/gd/tests/bug73968.phpt b/ext/gd/tests/bug73968.phpt new file mode 100644 index 0000000000..fd17fe26ba --- /dev/null +++ b/ext/gd/tests/bug73968.phpt @@ -0,0 +1,15 @@ +--TEST--
+Bug #73968 (Premature failing of XBM reading)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$im = imagecreatefromxbm(__DIR__ . DIRECTORY_SEPARATOR . 'bug73968.xbm');
+var_dump($im);
+?>
+===DONE===
+--EXPECTF--
+resource(%d) of type (gd)
+===DONE===
diff --git a/ext/gd/tests/bug73968.xbm b/ext/gd/tests/bug73968.xbm new file mode 100644 index 0000000000..f427d86a54 --- /dev/null +++ b/ext/gd/tests/bug73968.xbm @@ -0,0 +1,5 @@ +#define test_width 10 +#define test_height 10 +static unsigned char test_bits[] = { + 0xFF, 0x03, 0x00, 0x00, 0xFF, 0x03, 0x00, 0x00, 0xFF, 0x03, 0x00, 0x00, + 0xFF, 0x03, 0x00, 0x00, 0xFF, 0x03, 0x00, 0x00}; diff --git a/ext/gd/tests/libgd00094.phpt b/ext/gd/tests/libgd00094.phpt index d1d68eab04..d06afc4729 100644 --- a/ext/gd/tests/libgd00094.phpt +++ b/ext/gd/tests/libgd00094.phpt @@ -11,9 +11,6 @@ $im = imagecreatefromxbm(dirname(__FILE__) . '/libgd00094.xbm'); var_dump($im); ?> --EXPECTF-- -Warning: imagecreatefromxbm(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully - in %slibgd00094.php on line %d - Warning: imagecreatefromxbm(): '%slibgd00094.xbm' is not a valid XBM file in %slibgd00094.php on line %d bool(false) |