fix #72512, invalid read or write for palette image when invalid transparent index is used

Conflicts:
	ext/gd/libgd/gd.c

3 files changed, 26 insertions, 3 deletions

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index c501c67673..9fce60b5d1 100644
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -602,11 +602,11 @@ void gdImageColorTransparent (gdImagePtr im, int color)
 	if (color < 0) {
 		return;
 	}
-
 	if (!im->trueColor) {
-		if((color >= gdMaxColors)) {
+		if((color >= im->colorsTotal)) {
 			return;
 		}
+		/* Make the old transparent color opaque again */
 		if (im->transparent != -1) {
 			im->alpha[im->transparent] = gdAlphaOpaque;
 		}
diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c
index 0ff10b9f4f..ca106add7c 100644
--- a/ext/gd/libgd/gd_interpolation.c
+++ b/ext/gd/libgd/gd_interpolation.c
@@ -1247,7 +1247,13 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int
 	if (new_img == NULL) {
 		return NULL;
 	}
-	new_img->transparent = gdTrueColorAlpha(im->red[transparent], im->green[transparent], im->blue[transparent], im->alpha[transparent]);
+
+	if (transparent < 0) {
+		/* uninitialized */
+		new_img->transparent = -1;
+	} else {
+		new_img->transparent = gdTrueColorAlpha(im->red[transparent], im->green[transparent], im->blue[transparent], im->alpha[transparent]);
+	}
 
 	for (i=0; i < _height; i++) {
 		long j;
diff --git a/ext/gd/tests/bug72512.phpt b/ext/gd/tests/bug72512.phpt
new file mode 100644
index 0000000000..2a2024d4cb
--- /dev/null
+++ b/ext/gd/tests/bug72512.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #19366 (gdimagefill() function crashes (fixed in bundled libgd))
+--SKIPIF--
+<?php
+	if (!extension_loaded('gd')) die("skip gd extension not available\n");
+?>
+--FILE--
+<?php
+$img = imagecreatetruecolor(100, 100);
+imagecolortransparent($img, -1000000);
+imagetruecolortopalette($img, TRUE, 3);
+imagecolortransparent($img, 9);
+echo "OK";
+?>
+--EXPECT--
+OK
+