Merge branch 'PHP-7.0' into PHP-7.1

3 files changed, 21 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 5c044ef2ac..65f0892192 100644
--- a/NEWS
+++ b/NEWS
@@ -546,7 +546,8 @@ PHP                                                                        NEWS
     (Pierre)
   . Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine
     overflow). (Pierre)
-  . Fixed bug #72494 (imagecropauto out-of-bounds access). (Pierre)
+  . Fixed bug #72494 (imagecropauto out-of-bounds access). (Fernando, Pierre,
+    cmb)
 
 - Intl:
   . Partially fixed #72506 (idn_to_ascii for UTS #46 incorrect for long domain
diff --git a/ext/gd/libgd/gd_crop.c b/ext/gd/libgd/gd_crop.c
index 8331521446..58b630317d 100644
--- a/ext/gd/libgd/gd_crop.c
+++ b/ext/gd/libgd/gd_crop.c
@@ -243,6 +243,10 @@ gdImagePtr gdImageCropThreshold(gdImagePtr im, const unsigned int color, const f
 		return NULL;
 	}
 
+	if (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im)) {
+		return NULL;
+	}
+
 	/* TODO: Add gdImageGetRowPtr and works with ptr at the row level
 	 * for the true color and palette images
 	 * new formats will simply work with ptr
diff --git a/ext/gd/tests/bug72494.phpt b/ext/gd/tests/bug72494.phpt
new file mode 100644
index 0000000000..f21de6ca3b
--- /dev/null
+++ b/ext/gd/tests/bug72494.phpt
@@ -0,0 +1,15 @@
+--TEST--

+Bug #72494 (imagecropauto out-of-bounds access)

+--SKIPIF--

+<?php

+if (!extension_loaded('gd')) die('skip gd extension not available');

+?>

+--FILE--

+<?php

+$im = imagecreate(10,10);

+imagecropauto($im, IMG_CROP_THRESHOLD, 0, 1337);

+?>

+===DONE===

+--EXPECTF--

+Warning: imagecropauto(): Color argument missing with threshold mode in %s on line %d

+===DONE===