diff options
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | ext/gd/libgd/gd_interpolation.c | 2 | ||||
-rw-r--r-- | ext/gd/tests/bug70976.phpt | 13 |
3 files changed, 18 insertions, 1 deletions
@@ -4,6 +4,10 @@ PHP NEWS ?? ??? 2015, PHP 5.5.31 +- GD: + . Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index + Out of Bounds). (emmanuel dot law at gmail dot com). + 01 Oct 2015, PHP 5.5.30 - Phar: diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index 65e2360776..efb584c1e4 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -2154,7 +2154,7 @@ gdImagePtr gdImageRotateInterpolated(const gdImagePtr src, const float angle, in { const int angle_rounded = (int)floor(angle * 100); - if (bgcolor < 0) { + if (bgcolor < 0 || bgcolor >= gdMaxColors) { return NULL; } diff --git a/ext/gd/tests/bug70976.phpt b/ext/gd/tests/bug70976.phpt new file mode 100644 index 0000000000..23af4eedc7 --- /dev/null +++ b/ext/gd/tests/bug70976.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds) +--SKIPIF-- +<?php + if(!extension_loaded('gd')){ die('skip gd extension not available'); } +?> +--FILE-- +<?php +$img = imagerotate(imagecreate(1,1),45,0x7ffffff9); +var_dump($img); +?> +--EXPECTF-- +bool(false)
\ No newline at end of file |