diff options
| author | Anatol Belski <ab@php.net> | 2016-11-08 11:06:52 +0100 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2016-11-08 11:06:52 +0100 |
| commit | 33766347cbf6acb83ec3df23318b534ec0f40c48 (patch) | |
| tree | 6cf5d2e8370cc0b258d8fa20762022a0e6cacb6d /ext/gd | |
| parent | 493b2bff02531b0ead233177a2a0846c75e94777 (diff) | |
| parent | 99b242a6d093bca1f64084866b4491061de57553 (diff) | |
| download | php-git-33766347cbf6acb83ec3df23318b534ec0f40c48.tar.gz | |
Merge remote-tracking branch 'phpsec/PHP-5.6.28' into PHP-5.6
Diffstat (limited to 'ext/gd')
| -rw-r--r-- | ext/gd/libgd/gd.c | 53 | ||||
| -rw-r--r-- | ext/gd/tests/bug72482.phpt | 19 | ||||
| -rw-r--r-- | ext/gd/tests/bug72482_2.phpt | 21 | ||||
| -rw-r--r-- | ext/gd/tests/bug72482_2.png | bin | 0 -> 118 bytes | |||
| -rw-r--r-- | ext/gd/tests/bug72696.phpt | 14 |
5 files changed, 58 insertions, 49 deletions
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c index 033d4fa5f0..3e7d27a373 100644 --- a/ext/gd/libgd/gd.c +++ b/ext/gd/libgd/gd.c @@ -1117,7 +1117,7 @@ void gdImageLine (gdImagePtr im, int x1, int y1, int x2, int y2, int color) } /* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */ - if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im))) { + if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) { return; } @@ -1301,55 +1301,10 @@ void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col) long x, y, inc, frac; long dx, dy,tmp; - if (y1 < 0 && y2 < 0) { - return; - } - if (y1 < 0) { - x1 += (y1 * (x1 - x2)) / (y2 - y1); - y1 = 0; - } - if (y2 < 0) { - x2 += (y2 * (x1 - x2)) / (y2 - y1); - y2 = 0; - } - - /* bottom edge */ - if (y1 >= im->sy && y2 >= im->sy) { - return; - } - if (y1 >= im->sy) { - x1 -= ((im->sy - y1) * (x1 - x2)) / (y2 - y1); - y1 = im->sy - 1; - } - if (y2 >= im->sy) { - x2 -= ((im->sy - y2) * (x1 - x2)) / (y2 - y1); - y2 = im->sy - 1; - } - - /* left edge */ - if (x1 < 0 && x2 < 0) { - return; - } - if (x1 < 0) { - y1 += (x1 * (y1 - y2)) / (x2 - x1); - x1 = 0; - } - if (x2 < 0) { - y2 += (x2 * (y1 - y2)) / (x2 - x1); - x2 = 0; - } - /* right edge */ - if (x1 >= im->sx && x2 >= im->sx) { + /* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */ + if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) { return; } - if (x1 >= im->sx) { - y1 -= ((im->sx - x1) * (y1 - y2)) / (x2 - x1); - x1 = im->sx - 1; - } - if (x2 >= im->sx) { - y2 -= ((im->sx - x2) * (y1 - y2)) / (x2 - x1); - x2 = im->sx - 1; - } dx = x2 - x1; dy = y2 - y1; @@ -1792,7 +1747,7 @@ void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color) int leftLimit = -1, rightLimit; int i, restoreAlphaBlending = 0; - if (border < 0) { + if (border < 0 || color < 0) { /* Refuse to fill to a non-solid border */ return; } diff --git a/ext/gd/tests/bug72482.phpt b/ext/gd/tests/bug72482.phpt new file mode 100644 index 0000000000..548921d559 --- /dev/null +++ b/ext/gd/tests/bug72482.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #72482 (Ilegal write/read access caused by gdImageAALine overflow) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +?> +--FILE-- +<?php +$img = imagecreatetruecolor(13, 1007); +imageantialias($img, true); +imageline($img, 0, 0, 1073745919, 1073745919, 4096); + +$img = imagecreatetruecolor(100, 100); +imageantialias($img, true); +imageline($img, 1094795585, 0, 2147483647, 255, 0xff); +?> +===DONE=== +--EXPECT-- +===DONE=== diff --git a/ext/gd/tests/bug72482_2.phpt b/ext/gd/tests/bug72482_2.phpt new file mode 100644 index 0000000000..a8a08faa53 --- /dev/null +++ b/ext/gd/tests/bug72482_2.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug 72482 (Ilegal write/read access caused by gdImageAALine overflow) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +?> +--FILE-- +<?php +require_once __DIR__ . DIRECTORY_SEPARATOR . 'func.inc'; + +$im = imagecreatetruecolor(10, 10); +imagefilledrectangle($im, 0, 0, 9, 9, imagecolorallocate($im, 255, 255, 255)); +imageantialias($im, true); +imageline($im, 0, 0, 10, 10, imagecolorallocate($im, 0, 0, 0)); + +test_image_equals_file(__DIR__ . DIRECTORY_SEPARATOR . 'bug72482_2.png', $im); +?> +===DONE=== +--EXPECT-- +The images are equal. +===DONE=== diff --git a/ext/gd/tests/bug72482_2.png b/ext/gd/tests/bug72482_2.png Binary files differnew file mode 100644 index 0000000000..da90b2a267 --- /dev/null +++ b/ext/gd/tests/bug72482_2.png diff --git a/ext/gd/tests/bug72696.phpt b/ext/gd/tests/bug72696.phpt new file mode 100644 index 0000000000..4f0d9e7f1d --- /dev/null +++ b/ext/gd/tests/bug72696.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #72696 (imagefilltoborder stackoverflow on truecolor images) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +?> +--FILE-- +<?php +$im = imagecreatetruecolor(10, 10); +imagefilltoborder($im, 0, 0, 1, -2); +?> +===DONE=== +--EXPECT-- +===DONE=== |
