From 041210f44177a9c28a62c64bc84798d80272e3c7 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Tue, 7 Jun 2016 10:04:25 +0200 Subject: 7.0.9 next --- NEWS | 6 +++++- configure.in | 2 +- main/php_version.h | 6 +++--- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index 54c7960acf..16dafa5bbc 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -?? ??? 2016 PHP 7.0.8 +?? ??? 2016 PHP 7.0.9 + + + +23 Jun 2016 PHP 7.0.8 - Core: . Fixed bug #72221 (segfault, past-the-end access). (Lauri Kenttä) diff --git a/configure.in b/configure.in index 5a437969f4..142cf7f77b 100644 --- a/configure.in +++ b/configure.in @@ -119,7 +119,7 @@ int zend_sprintf(char *buffer, const char *format, ...); PHP_MAJOR_VERSION=7 PHP_MINOR_VERSION=0 -PHP_RELEASE_VERSION=8 +PHP_RELEASE_VERSION=9 PHP_EXTRA_VERSION="-dev" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION` diff --git a/main/php_version.h b/main/php_version.h index 63542ec8d3..f88ce5e69e 100644 --- a/main/php_version.h +++ b/main/php_version.h @@ -2,7 +2,7 @@ /* edit configure.in to change version number */ #define PHP_MAJOR_VERSION 7 #define PHP_MINOR_VERSION 0 -#define PHP_RELEASE_VERSION 8 +#define PHP_RELEASE_VERSION 9 #define PHP_EXTRA_VERSION "-dev" -#define PHP_VERSION "7.0.8-dev" -#define PHP_VERSION_ID 70008 +#define PHP_VERSION "7.0.9-dev" +#define PHP_VERSION_ID 70009 -- cgit v1.2.1 From f80125950ca5de51b6f5851f82c80a99d571de6c Mon Sep 17 00:00:00 2001 From: Pierre Joye Date: Tue, 7 Jun 2016 17:16:40 +0700 Subject: #72337 invalid dimensions can lead to segv --- ext/gd/gd.c | 4 ++++ ext/gd/libgd/gd_interpolation.c | 34 +++++++++++++++++++++++++++++++++- ext/gd/tests/bug72337.phpt | 14 ++++++++++++++ 3 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 ext/gd/tests/bug72337.phpt diff --git a/ext/gd/gd.c b/ext/gd/gd.c index 0fce8ddcdf..cb070abf84 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -5145,6 +5145,10 @@ PHP_FUNCTION(imagescale) } } + if (tmp_h <= 0 || tmp_w <= 0) { + RETURN_FALSE; + } + new_width = tmp_w; new_height = tmp_h; diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index cf67ec9b46..6d703b8b30 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -1059,6 +1059,10 @@ gdImagePtr gdImageScaleTwoPass(const gdImagePtr src, const unsigned int src_widt gdImagePtr tmp_im; gdImagePtr dst; + if (new_width == 0 || new_height == 0) { + return NULL; + } + /* Convert to truecolor if it isn't; this code requires it. */ if (!src->trueColor) { gdImagePaletteToTrueColor(src); @@ -1087,6 +1091,10 @@ gdImagePtr Scale(const gdImagePtr src, const unsigned int src_width, const unsig { gdImagePtr tmp_im; + if (new_width == 0 || new_height == 0) { + return NULL; + } + tmp_im = gdImageCreateTrueColor(new_width, src_height); if (tmp_im == NULL) { return NULL; @@ -1120,6 +1128,10 @@ gdImagePtr gdImageScaleNearestNeighbour(gdImagePtr im, const unsigned int width, unsigned long dst_offset_y = 0; unsigned int i; + if (new_width == 0 || new_height == 0) { + return NULL; + } + dst_img = gdImageCreateTrueColor(new_width, new_height); if (dst_img == NULL) { @@ -1221,6 +1233,10 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int gdImagePtr new_img; const int transparent = im->transparent; + if (new_width == 0 || new_height == 0) { + return NULL; + } + new_img = gdImageCreateTrueColor(new_width, new_height); if (new_img == NULL) { return NULL; @@ -1313,6 +1329,10 @@ static gdImagePtr gdImageScaleBilinearTC(gdImagePtr im, const unsigned int new_w long i; gdImagePtr new_img; + if (new_width == 0 || new_height == 0) { + return NULL; + } + new_img = gdImageCreateTrueColor(new_width, new_height); if (!new_img){ return NULL; @@ -1412,6 +1432,10 @@ gdImagePtr gdImageScaleBicubicFixed(gdImagePtr src, const unsigned int width, co unsigned int dst_offset_y = 0; long i; + if (new_width == 0 || new_height == 0) { + return NULL; + } + /* impact perf a bit, but not that much. Implementation for palette images can be done at a later point. */ @@ -1634,7 +1658,11 @@ gdImagePtr gdImageScale(const gdImagePtr src, const unsigned int new_width, cons gdImagePtr im_scaled = NULL; if (src == NULL || src->interpolation_id < 0 || src->interpolation_id > GD_METHOD_COUNT) { - return 0; + return NULL; + } + + if (new_width == 0 || new_height == 0) { + return NULL; } switch (src->interpolation_id) { @@ -1680,6 +1708,10 @@ gdImagePtr gdImageRotateNearestNeighbour(gdImagePtr src, const float degrees, co unsigned int i; gdImagePtr dst; + if (new_width == 0 || new_height == 0) { + return NULL; + } + dst = gdImageCreateTrueColor(new_width, new_height); if (!dst) { return NULL; diff --git a/ext/gd/tests/bug72337.phpt b/ext/gd/tests/bug72337.phpt new file mode 100644 index 0000000000..7b8a869577 --- /dev/null +++ b/ext/gd/tests/bug72337.phpt @@ -0,0 +1,14 @@ +--TEST-- + #72337 segfault in imagescale with new dimensions being <=0) +--SKIPIF-- + +--FILE-- + +--EXPECT-- +OK -- cgit v1.2.1 From 99f8a5587b43fc39d8d3fbff16ea78866c164f71 Mon Sep 17 00:00:00 2001 From: Pierre Joye Date: Tue, 7 Jun 2016 17:40:55 +0700 Subject: update NEWS --- NEWS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 16dafa5bbc..48cb9167ff 100644 --- a/NEWS +++ b/NEWS @@ -79,7 +79,7 @@ PHP NEWS - GD: . Fixed bug #72227 (imagescale out-of-bounds read). (Stas) - + . Fixed bug #72337 (invalid dimensions can lead to crash) (Pierre) - Intl: . Fixed #72241 (get_icu_value_internal out-of-bounds read). (Stas) -- cgit v1.2.1 From 1d0f1283510757782d4898f98aae62d0c3bb58fd Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Tue, 7 Jun 2016 18:41:17 +0200 Subject: add missing NEWS entry --- NEWS | 3 +++ 1 file changed, 3 insertions(+) diff --git a/NEWS b/NEWS index 7b94ee3a1e..7df775b4a8 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2016, PHP 5.6.23 +- GD: + . Fixed bug #72337 (invalid dimensions can lead to crash) (Pierre) + - Intl: . Fixed bug #70484 (selectordinal doesn't work with named parameters). (Anatol) -- cgit v1.2.1 From 7935a1e2ffce75df715b4332c45d6f21c9dcaf80 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Tue, 7 Jun 2016 18:44:40 +0200 Subject: fix NEWS --- NEWS | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 48cb9167ff..1e1d8ad47a 100644 --- a/NEWS +++ b/NEWS @@ -15,6 +15,9 @@ PHP NEWS . Fixed bug #72308 (fastcgi_finish_request and logging environment variables). (Laruence) +- GD: + . Fixed bug #72337 (invalid dimensions can lead to crash) (Pierre) + - Intl: . Fixed bug #64524 (Add intl.use_exceptions to php.ini-*). (Anatol) @@ -79,7 +82,7 @@ PHP NEWS - GD: . Fixed bug #72227 (imagescale out-of-bounds read). (Stas) - . Fixed bug #72337 (invalid dimensions can lead to crash) (Pierre) + - Intl: . Fixed #72241 (get_icu_value_internal out-of-bounds read). (Stas) -- cgit v1.2.1