From f80125950ca5de51b6f5851f82c80a99d571de6c Mon Sep 17 00:00:00 2001 From: Pierre Joye Date: Tue, 7 Jun 2016 17:16:40 +0700 Subject: #72337 invalid dimensions can lead to segv --- ext/gd/gd.c | 4 ++++ ext/gd/libgd/gd_interpolation.c | 34 +++++++++++++++++++++++++++++++++- ext/gd/tests/bug72337.phpt | 14 ++++++++++++++ 3 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 ext/gd/tests/bug72337.phpt diff --git a/ext/gd/gd.c b/ext/gd/gd.c index 0fce8ddcdf..cb070abf84 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -5145,6 +5145,10 @@ PHP_FUNCTION(imagescale) } } + if (tmp_h <= 0 || tmp_w <= 0) { + RETURN_FALSE; + } + new_width = tmp_w; new_height = tmp_h; diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index cf67ec9b46..6d703b8b30 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -1059,6 +1059,10 @@ gdImagePtr gdImageScaleTwoPass(const gdImagePtr src, const unsigned int src_widt gdImagePtr tmp_im; gdImagePtr dst; + if (new_width == 0 || new_height == 0) { + return NULL; + } + /* Convert to truecolor if it isn't; this code requires it. */ if (!src->trueColor) { gdImagePaletteToTrueColor(src); @@ -1087,6 +1091,10 @@ gdImagePtr Scale(const gdImagePtr src, const unsigned int src_width, const unsig { gdImagePtr tmp_im; + if (new_width == 0 || new_height == 0) { + return NULL; + } + tmp_im = gdImageCreateTrueColor(new_width, src_height); if (tmp_im == NULL) { return NULL; @@ -1120,6 +1128,10 @@ gdImagePtr gdImageScaleNearestNeighbour(gdImagePtr im, const unsigned int width, unsigned long dst_offset_y = 0; unsigned int i; + if (new_width == 0 || new_height == 0) { + return NULL; + } + dst_img = gdImageCreateTrueColor(new_width, new_height); if (dst_img == NULL) { @@ -1221,6 +1233,10 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int gdImagePtr new_img; const int transparent = im->transparent; + if (new_width == 0 || new_height == 0) { + return NULL; + } + new_img = gdImageCreateTrueColor(new_width, new_height); if (new_img == NULL) { return NULL; @@ -1313,6 +1329,10 @@ static gdImagePtr gdImageScaleBilinearTC(gdImagePtr im, const unsigned int new_w long i; gdImagePtr new_img; + if (new_width == 0 || new_height == 0) { + return NULL; + } + new_img = gdImageCreateTrueColor(new_width, new_height); if (!new_img){ return NULL; @@ -1412,6 +1432,10 @@ gdImagePtr gdImageScaleBicubicFixed(gdImagePtr src, const unsigned int width, co unsigned int dst_offset_y = 0; long i; + if (new_width == 0 || new_height == 0) { + return NULL; + } + /* impact perf a bit, but not that much. Implementation for palette images can be done at a later point. */ @@ -1634,7 +1658,11 @@ gdImagePtr gdImageScale(const gdImagePtr src, const unsigned int new_width, cons gdImagePtr im_scaled = NULL; if (src == NULL || src->interpolation_id < 0 || src->interpolation_id > GD_METHOD_COUNT) { - return 0; + return NULL; + } + + if (new_width == 0 || new_height == 0) { + return NULL; } switch (src->interpolation_id) { @@ -1680,6 +1708,10 @@ gdImagePtr gdImageRotateNearestNeighbour(gdImagePtr src, const float degrees, co unsigned int i; gdImagePtr dst; + if (new_width == 0 || new_height == 0) { + return NULL; + } + dst = gdImageCreateTrueColor(new_width, new_height); if (!dst) { return NULL; diff --git a/ext/gd/tests/bug72337.phpt b/ext/gd/tests/bug72337.phpt new file mode 100644 index 0000000000..7b8a869577 --- /dev/null +++ b/ext/gd/tests/bug72337.phpt @@ -0,0 +1,14 @@ +--TEST-- + #72337 segfault in imagescale with new dimensions being <=0) +--SKIPIF-- + +--FILE-- + +--EXPECT-- +OK -- cgit v1.2.1