diff options
| -rw-r--r-- | ext/gd/libgd/gd.c | 51 | ||||
| -rw-r--r-- | ext/gd/tests/bug72482.phpt | 19 | ||||
| -rw-r--r-- | ext/gd/tests/bug72482_2.phpt | 21 | ||||
| -rw-r--r-- | ext/gd/tests/bug72482_2.png | bin | 0 -> 118 bytes |
4 files changed, 43 insertions, 48 deletions
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c index 033d4fa5f0..058f1c9759 100644 --- a/ext/gd/libgd/gd.c +++ b/ext/gd/libgd/gd.c @@ -1117,7 +1117,7 @@ void gdImageLine (gdImagePtr im, int x1, int y1, int x2, int y2, int color) } /* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */ - if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im))) { + if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) { return; } @@ -1301,55 +1301,10 @@ void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col) long x, y, inc, frac; long dx, dy,tmp; - if (y1 < 0 && y2 < 0) { - return; - } - if (y1 < 0) { - x1 += (y1 * (x1 - x2)) / (y2 - y1); - y1 = 0; - } - if (y2 < 0) { - x2 += (y2 * (x1 - x2)) / (y2 - y1); - y2 = 0; - } - - /* bottom edge */ - if (y1 >= im->sy && y2 >= im->sy) { - return; - } - if (y1 >= im->sy) { - x1 -= ((im->sy - y1) * (x1 - x2)) / (y2 - y1); - y1 = im->sy - 1; - } - if (y2 >= im->sy) { - x2 -= ((im->sy - y2) * (x1 - x2)) / (y2 - y1); - y2 = im->sy - 1; - } - - /* left edge */ - if (x1 < 0 && x2 < 0) { - return; - } - if (x1 < 0) { - y1 += (x1 * (y1 - y2)) / (x2 - x1); - x1 = 0; - } - if (x2 < 0) { - y2 += (x2 * (y1 - y2)) / (x2 - x1); - x2 = 0; - } - /* right edge */ - if (x1 >= im->sx && x2 >= im->sx) { + /* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */ + if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) { return; } - if (x1 >= im->sx) { - y1 -= ((im->sx - x1) * (y1 - y2)) / (x2 - x1); - x1 = im->sx - 1; - } - if (x2 >= im->sx) { - y2 -= ((im->sx - x2) * (y1 - y2)) / (x2 - x1); - x2 = im->sx - 1; - } dx = x2 - x1; dy = y2 - y1; diff --git a/ext/gd/tests/bug72482.phpt b/ext/gd/tests/bug72482.phpt new file mode 100644 index 0000000000..548921d559 --- /dev/null +++ b/ext/gd/tests/bug72482.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #72482 (Ilegal write/read access caused by gdImageAALine overflow) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +?> +--FILE-- +<?php +$img = imagecreatetruecolor(13, 1007); +imageantialias($img, true); +imageline($img, 0, 0, 1073745919, 1073745919, 4096); + +$img = imagecreatetruecolor(100, 100); +imageantialias($img, true); +imageline($img, 1094795585, 0, 2147483647, 255, 0xff); +?> +===DONE=== +--EXPECT-- +===DONE=== diff --git a/ext/gd/tests/bug72482_2.phpt b/ext/gd/tests/bug72482_2.phpt new file mode 100644 index 0000000000..a8a08faa53 --- /dev/null +++ b/ext/gd/tests/bug72482_2.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug 72482 (Ilegal write/read access caused by gdImageAALine overflow) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +?> +--FILE-- +<?php +require_once __DIR__ . DIRECTORY_SEPARATOR . 'func.inc'; + +$im = imagecreatetruecolor(10, 10); +imagefilledrectangle($im, 0, 0, 9, 9, imagecolorallocate($im, 255, 255, 255)); +imageantialias($im, true); +imageline($im, 0, 0, 10, 10, imagecolorallocate($im, 0, 0, 0)); + +test_image_equals_file(__DIR__ . DIRECTORY_SEPARATOR . 'bug72482_2.png', $im); +?> +===DONE=== +--EXPECT-- +The images are equal. +===DONE=== diff --git a/ext/gd/tests/bug72482_2.png b/ext/gd/tests/bug72482_2.png Binary files differnew file mode 100644 index 0000000000..da90b2a267 --- /dev/null +++ b/ext/gd/tests/bug72482_2.png |
