Merge branch 'PHP-5.6' into PHP-7.0

3 files changed, 28 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 0119795e45..27bd7b0275 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,8 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2016 PHP 7.0.11
 
+- GD:
+  . Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles). (cmb)
 
 
 ?? ??? 2016 PHP 7.0.10
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 9375aeee1e..c7c6fe3fae 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1444,6 +1444,7 @@ PHP_FUNCTION(imagesetstyle)
 	gdImagePtr im;
 	int *stylearr;
 	int index = 0;
+    uint32_t num_styles;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "ra", &IM, &styles) == FAILURE)  {
 		return;
@@ -1453,8 +1454,14 @@ PHP_FUNCTION(imagesetstyle)
 		RETURN_FALSE;
 	}
 
+    num_styles = zend_hash_num_elements(Z_ARRVAL_P(styles));
+    if (num_styles == 0) {
+        php_error_docref(NULL, E_WARNING, "styles array must not be empty");
+        RETURN_FALSE;
+    }
+
 	/* copy the style values in the stylearr */
-	stylearr = safe_emalloc(sizeof(int), zend_hash_num_elements(Z_ARRVAL_P(styles)), 0);
+	stylearr = safe_emalloc(sizeof(int), num_styles, 0);
 
 	ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(styles), item) {
 		stylearr[index++] = zval_get_long(item);
diff --git a/ext/gd/tests/bug72709.phpt b/ext/gd/tests/bug72709.phpt
new file mode 100644
index 0000000000..1c5b1f4ae0
--- /dev/null
+++ b/ext/gd/tests/bug72709.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #72709 (imagesetstyle() causes OOB read for empty $styles)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip ext/gd not available');
+?>
+--FILE--
+<?php
+$im = imagecreatetruecolor(1, 1);
+var_dump(imagesetstyle($im, array()));
+imagesetpixel($im, 0, 0, IMG_COLOR_STYLED);
+imagedestroy($im);
+?>
+====DONE====
+--EXPECTF--
+Warning: imagesetstyle(): styles array must not be empty in %s%ebug72709.php on line %d
+bool(false)
+====DONE====