diff options
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | ext/gd/libgd/gd_interpolation.c | 8 | ||||
-rw-r--r-- | ext/gd/tests/bug73279.phpt | 20 | ||||
-rw-r--r-- | ext/gd/tests/bug73279_old.phpt | 22 |
4 files changed, 47 insertions, 4 deletions
@@ -6,6 +6,7 @@ PHP NEWS . Fixed bug #73213 (Integer overflow in imageline() with antialiasing). (cmb) . Fixed bug #73272 (imagescale() is not affected by, but affects imagesetinterpolation()). (cmb) + . Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()). (cmb) - Standard: . Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb) diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index 4c11213a8e..1c151b5509 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -1331,10 +1331,10 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int f_a4 = gd_itofx(gdTrueColorGetAlpha(pixel4)); { - const char red = (char) gd_fxtoi(gd_mulfx(f_w1, f_r1) + gd_mulfx(f_w2, f_r2) + gd_mulfx(f_w3, f_r3) + gd_mulfx(f_w4, f_r4)); - const char green = (char) gd_fxtoi(gd_mulfx(f_w1, f_g1) + gd_mulfx(f_w2, f_g2) + gd_mulfx(f_w3, f_g3) + gd_mulfx(f_w4, f_g4)); - const char blue = (char) gd_fxtoi(gd_mulfx(f_w1, f_b1) + gd_mulfx(f_w2, f_b2) + gd_mulfx(f_w3, f_b3) + gd_mulfx(f_w4, f_b4)); - const char alpha = (char) gd_fxtoi(gd_mulfx(f_w1, f_a1) + gd_mulfx(f_w2, f_a2) + gd_mulfx(f_w3, f_a3) + gd_mulfx(f_w4, f_a4)); + const unsigned char red = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_r1) + gd_mulfx(f_w2, f_r2) + gd_mulfx(f_w3, f_r3) + gd_mulfx(f_w4, f_r4)); + const unsigned char green = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_g1) + gd_mulfx(f_w2, f_g2) + gd_mulfx(f_w3, f_g3) + gd_mulfx(f_w4, f_g4)); + const unsigned char blue = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_b1) + gd_mulfx(f_w2, f_b2) + gd_mulfx(f_w3, f_b3) + gd_mulfx(f_w4, f_b4)); + const unsigned char alpha = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_a1) + gd_mulfx(f_w2, f_a2) + gd_mulfx(f_w3, f_a3) + gd_mulfx(f_w4, f_a4)); new_img->tpixels[dst_offset_v][dst_offset_h] = gdTrueColorAlpha(red, green, blue, alpha); } diff --git a/ext/gd/tests/bug73279.phpt b/ext/gd/tests/bug73279.phpt new file mode 100644 index 0000000000..e6c6709039 --- /dev/null +++ b/ext/gd/tests/bug73279.phpt @@ -0,0 +1,20 @@ +--TEST--
+Bug #73279 (Integer overflow in gdImageScaleBilinearPalette())
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+if (!GD_BUNDLED && version_compare(GD_VERSION, '2.2.4', '<')) {
+ die('skip only for bundled libgd or external libgd >= 2.2.4');
+}
+?>
+--FILE--
+<?php
+$src = imagecreate(100, 100);
+imagecolorallocate($src, 255, 255, 255);
+$dst = imagescale($src, 200, 200, IMG_BILINEAR_FIXED);
+printf("color: %x\n", imagecolorat($dst, 99, 99));
+?>
+===DONE===
+--EXPECT--
+color: ffffff
+===DONE===
diff --git a/ext/gd/tests/bug73279_old.phpt b/ext/gd/tests/bug73279_old.phpt new file mode 100644 index 0000000000..0cbbec34f2 --- /dev/null +++ b/ext/gd/tests/bug73279_old.phpt @@ -0,0 +1,22 @@ +--TEST--
+Bug #73279 (Integer overflow in gdImageScaleBilinearPalette())
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+if (GD_BUNDLED || version_compare(GD_VERSION, '2.2.4', '>=')) {
+ die('skip only for external libgd < 2.2.4');
+}
+?>
+--FILE--
+<?php
+$src = imagecreate(100, 100);
+imagecolorallocate($src, 255, 255, 255);
+$dst = imagescale($src, 200, 200, IMG_BILINEAR_FIXED);
+printf("color: %x\n", imagecolorat($dst, 99, 99));
+?>
+===DONE===
+--XFAIL--
+Bug #330 has not yet been fixed
+--EXPECT--
+color: ffffff
+===DONE===
|