diff options
| author | Pierre Joye <pierre.php@gmail.com> | 2016-07-19 13:37:23 +0700 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2016-07-19 15:55:20 +0200 |
| commit | 5b48472ec3446035decc0f86999bba038f14b51d (patch) | |
| tree | c396f8e30c584d45d9a7d33c557fb26713d3e3da | |
| parent | 62da85d35db8c655e757e87828dc4eb708139f73 (diff) | |
| download | php-git-5b48472ec3446035decc0f86999bba038f14b51d.tar.gz | |
fix #72512, invalid read or write for palette image when invalid transparent index is used
(cherry picked from commit 0fbcff1b35c1005b8d2cdfd33184867912d9d83a)
| -rw-r--r-- | ext/gd/libgd/gd.c | 13 | ||||
| -rw-r--r-- | ext/gd/libgd/gd_interpolation.c | 8 | ||||
| -rw-r--r-- | ext/gd/tests/bug72512.phpt | 17 |
3 files changed, 32 insertions, 6 deletions
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c index bb2f9c23aa..79b2d35799 100644 --- a/ext/gd/libgd/gd.c +++ b/ext/gd/libgd/gd.c @@ -597,15 +597,18 @@ void gdImageColorDeallocate (gdImagePtr im, int color) void gdImageColorTransparent (gdImagePtr im, int color) { + if (color < 0) { + return; + } if (!im->trueColor) { + if((color >= im->colorsTotal)) { + return; + } + /* Make the old transparent color opaque again */ if (im->transparent != -1) { im->alpha[im->transparent] = gdAlphaOpaque; } - if (color > -1 && color < im->colorsTotal && color < gdMaxColors) { - im->alpha[color] = gdAlphaTransparent; - } else { - return; - } + im->alpha[color] = gdAlphaTransparent; } im->transparent = color; } diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index 83319966f9..fb34982582 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -1244,7 +1244,13 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int if (new_img == NULL) { return NULL; } - new_img->transparent = gdTrueColorAlpha(im->red[transparent], im->green[transparent], im->blue[transparent], im->alpha[transparent]); + + if (transparent < 0) { + /* uninitialized */ + new_img->transparent = -1; + } else { + new_img->transparent = gdTrueColorAlpha(im->red[transparent], im->green[transparent], im->blue[transparent], im->alpha[transparent]); + } for (i=0; i < _height; i++) { long j; diff --git a/ext/gd/tests/bug72512.phpt b/ext/gd/tests/bug72512.phpt new file mode 100644 index 0000000000..2a2024d4cb --- /dev/null +++ b/ext/gd/tests/bug72512.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #19366 (gdimagefill() function crashes (fixed in bundled libgd)) +--SKIPIF-- +<?php + if (!extension_loaded('gd')) die("skip gd extension not available\n"); +?> +--FILE-- +<?php +$img = imagecreatetruecolor(100, 100); +imagecolortransparent($img, -1000000); +imagetruecolortopalette($img, TRUE, 3); +imagecolortransparent($img, 9); +echo "OK"; +?> +--EXPECT-- +OK + |