summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--NEWS1
-rw-r--r--ext/gd/libgd/gd_interpolation.c7
-rw-r--r--ext/gd/libgd/gd_matrix.c2
-rw-r--r--ext/gd/tests/bug79067.phpt14
4 files changed, 21 insertions, 3 deletions
diff --git a/NEWS b/NEWS
index b71fad0f8f..bb7dd649db 100644
--- a/NEWS
+++ b/NEWS
@@ -24,6 +24,7 @@ PHP NEWS
- GD:
. Fixed bug #78923 (Artifacts when convoluting image with transparency).
(wilson chen)
+ . Fixed bug #79067 (gdTransformAffineCopy() may use unitialized values). (cmb)
- Libxml:
. Fixed bug #79029 (Use After Free's in XMLReader / XMLWriter). (Laruence)
diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c
index 86549a279d..489f3c9694 100644
--- a/ext/gd/libgd/gd_interpolation.c
+++ b/ext/gd/libgd/gd_interpolation.c
@@ -2334,7 +2334,7 @@ int gdTransformAffineGetImage(gdImagePtr *dst,
* src_area - Rectangular region to rotate in the src image
*
* Returns:
- * GD_TRUE if the affine is rectilinear or GD_FALSE
+ * GD_TRUE on success or GD_FALSE on failure
*/
int gdTransformAffineCopy(gdImagePtr dst,
int dst_x, int dst_y,
@@ -2393,7 +2393,10 @@ int gdTransformAffineCopy(gdImagePtr dst,
end_y = bbox.height + (int) fabs(bbox.y);
/* Get inverse affine to let us work with destination -> source */
- gdAffineInvert(inv, affine);
+ if (gdAffineInvert(inv, affine) == GD_FALSE) {
+ gdImageSetInterpolationMethod(src, interpolation_id_bak);
+ return GD_FALSE;
+ }
src_offset_x = src_region->x;
src_offset_y = src_region->y;
diff --git a/ext/gd/libgd/gd_matrix.c b/ext/gd/libgd/gd_matrix.c
index 0a67f1dc26..d2dfbd2d16 100644
--- a/ext/gd/libgd/gd_matrix.c
+++ b/ext/gd/libgd/gd_matrix.c
@@ -55,7 +55,7 @@ int gdAffineApplyToPointF (gdPointFPtr dst, const gdPointFPtr src,
* <gdAffineIdentity>
*
* Returns:
- * GD_TRUE if the affine is rectilinear or GD_FALSE
+ * GD_TRUE on success or GD_FALSE on failure
*/
int gdAffineInvert (double dst[6], const double src[6])
{
diff --git a/ext/gd/tests/bug79067.phpt b/ext/gd/tests/bug79067.phpt
new file mode 100644
index 0000000000..1442b7fb56
--- /dev/null
+++ b/ext/gd/tests/bug79067.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #79067 (gdTransformAffineCopy() may use unitialized values)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$matrix = [1, 1, 1, 1, 1, 1];
+$src = imagecreatetruecolor(8, 8);
+var_dump(imageaffine($src, $matrix));
+?>
+--EXPECT--
+bool(false)
View Lorry Controller Status