diff options
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | ext/gd/gd.c | 9 | ||||
-rw-r--r-- | ext/gd/tests/bug72709.phpt | 18 |
3 files changed, 27 insertions, 1 deletions
@@ -42,6 +42,7 @@ PHP NEWS blendingmode). (cmb) . Fixed bug #66555 (Always false condition in ext/gd/libgd/gdkanji.c). (cmb) . Fixed bug #68712 (suspicious if-else statements). (cmb) + . Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles). (cmb) - Intl: . Partially fixed #72506 (idn_to_ascii for UTS #46 incorrect for long domain diff --git a/ext/gd/gd.c b/ext/gd/gd.c index 533dc502ca..052d568d76 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -1555,6 +1555,7 @@ PHP_FUNCTION(imagesetstyle) int * stylearr; int index; HashPosition pos; + int num_styles; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ra", &IM, &styles) == FAILURE) { return; @@ -1562,8 +1563,14 @@ PHP_FUNCTION(imagesetstyle) ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd); + num_styles = zend_hash_num_elements(HASH_OF(styles)); + if (num_styles == 0) { + php_error_docref(NULL, E_WARNING, "styles array must not be empty"); + RETURN_FALSE; + } + /* copy the style values in the stylearr */ - stylearr = safe_emalloc(sizeof(int), zend_hash_num_elements(HASH_OF(styles)), 0); + stylearr = safe_emalloc(sizeof(int), num_styles, 0); zend_hash_internal_pointer_reset_ex(HASH_OF(styles), &pos); diff --git a/ext/gd/tests/bug72709.phpt b/ext/gd/tests/bug72709.phpt new file mode 100644 index 0000000000..1c5b1f4ae0 --- /dev/null +++ b/ext/gd/tests/bug72709.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #72709 (imagesetstyle() causes OOB read for empty $styles) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip ext/gd not available'); +?> +--FILE-- +<?php +$im = imagecreatetruecolor(1, 1); +var_dump(imagesetstyle($im, array())); +imagesetpixel($im, 0, 0, IMG_COLOR_STYLED); +imagedestroy($im); +?> +====DONE==== +--EXPECTF-- +Warning: imagesetstyle(): styles array must not be empty in %s%ebug72709.php on line %d +bool(false) +====DONE==== |