From fc989fc6e773ccfb4d9ade0f466a3c5c2820bfdc Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Mon, 10 Oct 2016 11:40:16 +0200 Subject: Fix #73279: Integer overflow in gdImageScaleBilinearPalette() The color components are supposed to be in range 0..255, so we must not cast them to `signed char`, what can be the default for `char`. Port of . --- NEWS | 1 + ext/gd/libgd/gd_interpolation.c | 8 ++++---- ext/gd/tests/bug73279.phpt | 20 ++++++++++++++++++++ ext/gd/tests/bug73279_old.phpt | 22 ++++++++++++++++++++++ 4 files changed, 47 insertions(+), 4 deletions(-) create mode 100644 ext/gd/tests/bug73279.phpt create mode 100644 ext/gd/tests/bug73279_old.phpt diff --git a/NEWS b/NEWS index a41168d066..9fc658ec7b 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,7 @@ PHP NEWS . Fixed bug #73213 (Integer overflow in imageline() with antialiasing). (cmb) . Fixed bug #73272 (imagescale() is not affected by, but affects imagesetinterpolation()). (cmb) + . Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()). (cmb) - Standard: . Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb) diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index 4c11213a8e..1c151b5509 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -1331,10 +1331,10 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int f_a4 = gd_itofx(gdTrueColorGetAlpha(pixel4)); { - const char red = (char) gd_fxtoi(gd_mulfx(f_w1, f_r1) + gd_mulfx(f_w2, f_r2) + gd_mulfx(f_w3, f_r3) + gd_mulfx(f_w4, f_r4)); - const char green = (char) gd_fxtoi(gd_mulfx(f_w1, f_g1) + gd_mulfx(f_w2, f_g2) + gd_mulfx(f_w3, f_g3) + gd_mulfx(f_w4, f_g4)); - const char blue = (char) gd_fxtoi(gd_mulfx(f_w1, f_b1) + gd_mulfx(f_w2, f_b2) + gd_mulfx(f_w3, f_b3) + gd_mulfx(f_w4, f_b4)); - const char alpha = (char) gd_fxtoi(gd_mulfx(f_w1, f_a1) + gd_mulfx(f_w2, f_a2) + gd_mulfx(f_w3, f_a3) + gd_mulfx(f_w4, f_a4)); + const unsigned char red = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_r1) + gd_mulfx(f_w2, f_r2) + gd_mulfx(f_w3, f_r3) + gd_mulfx(f_w4, f_r4)); + const unsigned char green = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_g1) + gd_mulfx(f_w2, f_g2) + gd_mulfx(f_w3, f_g3) + gd_mulfx(f_w4, f_g4)); + const unsigned char blue = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_b1) + gd_mulfx(f_w2, f_b2) + gd_mulfx(f_w3, f_b3) + gd_mulfx(f_w4, f_b4)); + const unsigned char alpha = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_a1) + gd_mulfx(f_w2, f_a2) + gd_mulfx(f_w3, f_a3) + gd_mulfx(f_w4, f_a4)); new_img->tpixels[dst_offset_v][dst_offset_h] = gdTrueColorAlpha(red, green, blue, alpha); } diff --git a/ext/gd/tests/bug73279.phpt b/ext/gd/tests/bug73279.phpt new file mode 100644 index 0000000000..e6c6709039 --- /dev/null +++ b/ext/gd/tests/bug73279.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #73279 (Integer overflow in gdImageScaleBilinearPalette()) +--SKIPIF-- += 2.2.4'); +} +?> +--FILE-- + +===DONE=== +--EXPECT-- +color: ffffff +===DONE=== diff --git a/ext/gd/tests/bug73279_old.phpt b/ext/gd/tests/bug73279_old.phpt new file mode 100644 index 0000000000..0cbbec34f2 --- /dev/null +++ b/ext/gd/tests/bug73279_old.phpt @@ -0,0 +1,22 @@ +--TEST-- +Bug #73279 (Integer overflow in gdImageScaleBilinearPalette()) +--SKIPIF-- +=')) { + die('skip only for external libgd < 2.2.4'); +} +?> +--FILE-- + +===DONE=== +--XFAIL-- +Bug #330 has not yet been fixed +--EXPECT-- +color: ffffff +===DONE=== -- cgit v1.2.1