diff options
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/gd/libgd/gd_crop.c | 4 | ||||
| -rw-r--r-- | ext/gd/tests/bug72494.phpt | 15 |
3 files changed, 21 insertions, 0 deletions
@@ -377,6 +377,8 @@ PHP NEWS . Fixed bug #68712 (suspicious if-else statements). (cmb) . Fixed bug #72697 (select_colors write out-of-bounds). (Stas) . Fixed bug #72730 (imagegammacorrect allows arbitrary write access). (Stas) + . Fixed bug #72494 (imagecropauto out-of-bounds access). (Fernando, Pierre, + cmb) - Intl: . Fixed bug #72639 (Segfault when instantiating class that extends diff --git a/ext/gd/libgd/gd_crop.c b/ext/gd/libgd/gd_crop.c index 8331521446..58b630317d 100644 --- a/ext/gd/libgd/gd_crop.c +++ b/ext/gd/libgd/gd_crop.c @@ -243,6 +243,10 @@ gdImagePtr gdImageCropThreshold(gdImagePtr im, const unsigned int color, const f return NULL; } + if (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im)) { + return NULL; + } + /* TODO: Add gdImageGetRowPtr and works with ptr at the row level * for the true color and palette images * new formats will simply work with ptr diff --git a/ext/gd/tests/bug72494.phpt b/ext/gd/tests/bug72494.phpt new file mode 100644 index 0000000000..f21de6ca3b --- /dev/null +++ b/ext/gd/tests/bug72494.phpt @@ -0,0 +1,15 @@ +--TEST--
+Bug #72494 (imagecropauto out-of-bounds access)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$im = imagecreate(10,10);
+imagecropauto($im, IMG_CROP_THRESHOLD, 0, 1337);
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecropauto(): Color argument missing with threshold mode in %s on line %d
+===DONE===
|