MFH: Fixed bug #38112 (corrupted gif segfaults) (Pierre)

author: Ilia Alshanetsky <iliaa@php.net> 2006-08-10 18:34:22 +0000
committer: Ilia Alshanetsky <iliaa@php.net> 2006-08-10 18:34:22 +0000
commit: c3b1d9e9ef4ce9bc25a084e25d0ef951b681cb43 (patch)
tree: bc665bf2d5b206e668468022fa003d095cb80c2e
parent: bcef2d4a3343cb5c27589a88fa52a8e686d6e81b (diff)
download: php-git-c3b1d9e9ef4ce9bc25a084e25d0ef951b681cb43.tar.gz
5 files changed, 31 insertions, 16 deletions
diff --git a/NEWS b/NEWS
index 32bb22f18f..c13e671690 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,7 @@ PHP                                                                        NEWS
 - Fixed bug #38322 (reading past array in sscanf() leads to arbitary code
   execution). (Tony)
 - Fixed bug #38125 (undefined reference to spl_dual_it_free_storage). (Marcus)
+- Fixed bug #38112 (corrupted gif segfaults) (Pierre)
 - Fixed bug #37587 (var without attribute causes segfault). (Marcus)
 - Fixed bug #37576 (FastCGI env (cgi vars) table overflow). (Piotr)
 - Fixed bug #37496 (FastCGI output buffer overrun). (Piotr, Dmitry)
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index 6a2e8fbcd1..bb12cefc0c 100644
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -2161,7 +2161,7 @@ void gdImageCopy (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int srcX,
 				for (x = 0; (x < w); x++) {
 					int c = gdImageGetPixel (src, srcX + x, srcY + y);
 					if (c != src->transparent) {
-						gdImageSetPixel (dst, dstX + x, dstY + y, gdTrueColor(src->red[c], src->green[c], src->blue[c]));
+						gdImageSetPixel(dst, dstX + x, dstY + y, gdTrueColorAlpha(src->red[c], src->green[c], src->blue[c], src->alpha[c]));
 					}
 				}
 			}
diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index 1e739179e2..3f24e4a476 100644
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -430,6 +430,10 @@ gdImagePtr gdImageCreateFromGd2PartCtx (gdIOCtx * in, int srcx, int srcy, int w,
 
 	gdImagePtr im;
 
+	if (w<1 || h <1) {
+		return 0;
+	}
+
 	/* The next few lines are basically copied from gd2CreateFromFile
 	 * we change the file size, so don't want to use the code directly.
 	 * but we do need to know the file size.
diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
index e3b7e0faa0..ffe4168c8d 100644
--- a/ext/gd/libgd/gd_gif_in.c
+++ b/ext/gd/libgd/gd_gif_in.c
@@ -185,18 +185,15 @@ gdImageCreateFromGifCtx(gdIOCtxPtr fd)
 
                bitPixel = 1<<((buf[8]&0x07)+1);
 
+		if (!(im = gdImageCreate(imw, imh))) {
+			return 0;
+		}
 
+               im->interlace = BitSet(buf[8], INTERLACE);
                if (! useGlobalColormap) {
-                       if (ReadColorMap(fd, bitPixel, localColorMap)) {
+		       if (ReadColorMap(fd, bitPixel, localColorMap)) {
                                  return 0;
                        }
-			   }
-
-			   if (!(im = gdImageCreate(imw, imh))) {
-				   return 0;
-			   }
-               im->interlace = BitSet(buf[8], INTERLACE);
-               if (! useGlobalColormap) {
                        ReadImage(im, fd, imw, imh, localColorMap,
                                  BitSet(buf[8], INTERLACE));
                                  /*1.4//imageCount != imageNumber); */
@@ -217,6 +214,10 @@ terminated:
        if (!im) {
 		return 0;
        }
+	if (!im->colorsTotal) {
+		gdImageDestroy(im);
+		return 0;
+	}
        /* Check for open colors at the end, so
           we can reduce colorsTotal and ultimately
           BitsPerPixel */
@@ -507,6 +508,18 @@ ReadImage(gdImagePtr im, gdIOCtx *fd, int len, int height, unsigned char (*cmap)
        int             v;
        int             xpos = 0, ypos = 0, pass = 0;
        int i;
+
+       /*
+       **  Initialize the Compression routines
+       */
+       if (! ReadOK(fd,&c,1)) {
+               return;
+       }
+
+	if (c > MAX_LWZ_BITS) {
+		return;
+	}
+
        /* Stash the color map into the image */
        for (i=0; (i<gdMaxColors); i++) {
                im->red[i] = cmap[CM_RED][i];
@@ -516,12 +529,7 @@ ReadImage(gdImagePtr im, gdIOCtx *fd, int len, int height, unsigned char (*cmap)
        }
        /* Many (perhaps most) of these colors will remain marked open. */
        im->colorsTotal = gdMaxColors;
-       /*
-       **  Initialize the Compression routines
-       */
-       if (! ReadOK(fd,&c,1)) {
-               return;
-       }
+
        if (LWZReadByte(fd, TRUE, c) < 0) {
                return;
        }
diff --git a/ext/gd/libgd/gd_gif_out.c b/ext/gd/libgd/gd_gif_out.c
index 651df90d4f..f6b4ff7e6d 100644
--- a/ext/gd/libgd/gd_gif_out.c
+++ b/ext/gd/libgd/gd_gif_out.c
@@ -265,9 +265,11 @@ GIFEncode(gdIOCtxPtr fp, int GWidth, int GHeight, int GInterlace, int Background
         int InitCodeSize;
         int i;
 	GifCtx ctx;
+	
+	memset(&ctx, 0, sizeof(ctx));
         ctx.Interlace = GInterlace;
 	ctx.in_count = 1;
-	memset(&ctx, 0, sizeof(ctx));
+
         ColorMapSize = 1 << BitsPerPixel;
 
         RWidth = ctx.Width = GWidth;
author	Ilia Alshanetsky <iliaa@php.net>	2006-08-10 18:34:22 +0000
committer	Ilia Alshanetsky <iliaa@php.net>	2006-08-10 18:34:22 +0000
commit	c3b1d9e9ef4ce9bc25a084e25d0ef951b681cb43 (patch)
tree	bc665bf2d5b206e668468022fa003d095cb80c2e
parent	bcef2d4a3343cb5c27589a88fa52a8e686d6e81b (diff)
download	php-git-c3b1d9e9ef4ce9bc25a084e25d0ef951b681cb43.tar.gz