diff options
| -rw-r--r-- | NEWS | 6 | ||||
| -rw-r--r-- | ext/gd/libgd/gd.c | 6 | ||||
| -rw-r--r-- | ext/gd/tests/github_bug_215.phpt | 43 |
3 files changed, 54 insertions, 1 deletions
@@ -15,6 +15,9 @@ PHP NEWS . Fixed bug #72308 (fastcgi_finish_request and logging environment variables). (Laruence) +- GD: + . Fixed bug #72337 (invalid dimensions can lead to crash) (Pierre) + - Intl: . Fixed bug #64524 (Add intl.use_exceptions to php.ini-*). (Anatol) @@ -1005,7 +1008,8 @@ PHP NEWS - GD: . Fixed bug #53156 (imagerectangle problem with point ordering). (cmb) - . Fixed bug #66387 (Stack overflow with imagefilltoborder). (cmb) + . Fixed bug #66387 (Stack overflow with imagefilltoborder). (CVE-2015-8874) + (cmb) . Fixed bug #70102 (imagecreatefromwebm() shifts colors). (cmb) . Fixed bug #66590 (imagewebp() doesn't pad to even length). (cmb) . Fixed bug #66882 (imagerotate by -90 degrees truncates image by 1px). (cmb) diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c index b427831672..0b0d933bfd 100644 --- a/ext/gd/libgd/gd.c +++ b/ext/gd/libgd/gd.c @@ -1767,6 +1767,12 @@ void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color) return; } + if (!im->trueColor) { + if ((color > (im->colorsTotal - 1)) || (border > (im->colorsTotal - 1)) || (color < 0)) { + return; + } + } + restoreAlphaBlending = im->alphaBlendingFlag; im->alphaBlendingFlag = 0; diff --git a/ext/gd/tests/github_bug_215.phpt b/ext/gd/tests/github_bug_215.phpt new file mode 100644 index 0000000000..f44a5401e1 --- /dev/null +++ b/ext/gd/tests/github_bug_215.phpt @@ -0,0 +1,43 @@ +--TEST-- +Github #215 (imagefilltoborder stack overflow when invalid pallete index used) +--SKIPIF-- +<?php +if (!extension_loaded("gd")) die("skip GD not present"); +?> +--FILE-- +<?php +$image = imagecreate( 10, 10 ); +$bgd = imagecolorallocate( $image, 0, 0, 0 ); +$border = imagecolorallocate( $image, 255, 0, 0 ); +$fillcolor = imagecolorallocate( $image, 255, 0, 0 ); + +/* Use unallocated color index */ +imagefilltoborder( $image, 0,0, $border+10, $fillcolor); +echo "#1 passes\n"; + +/* Use negative color index */ +imagefilltoborder( $image, 0,0, -$border, $fillcolor); +echo "#2 passes\n"; + + +/* Use unallocated color index */ +imagefilltoborder( $image, 0,0, $border, $fillcolor+10); +echo "#3 passes\n"; + +/* Use negative color index */ +imagefilltoborder( $image, 0,0, $border, -$fillcolor); +echo "#4 passes\n"; + + +/* Use negative color index */ +imagefilltoborder( $image, 0,0, $border+10, $fillcolor+10); +echo "#5 passes"; + + +?> +--EXPECT-- +#1 passes +#2 passes +#3 passes +#4 passes +#5 passes |