diff options
| author | Christoph M. Becker <cmb@php.net> | 2015-07-11 20:50:54 +0200 |
|---|---|---|
| committer | Christoph M. Becker <cmb@php.net> | 2015-07-11 20:54:07 +0200 |
| commit | c40f40656e49cf7006dfa7e8f0db5b3d0d286045 (patch) | |
| tree | 913d0350130584e4b662dafd257029ca846c5758 | |
| parent | 6ac4c57f72aa6de6c6c404152bb215f981cfced2 (diff) | |
| download | php-git-c40f40656e49cf7006dfa7e8f0db5b3d0d286045.tar.gz | |
Fix #66339: PHP segfaults in imagexbm
The file parameter of the XBM image ZPP is not properly taken into account. If
it is NULL that would result in a segfault, because gdImageXbmCtx() is not
prepared to take a NULL file_name. If it is not NULL the XBM data would be
written to STDOUT, because the stream is not initialized. This patch fixes both
issues.
| -rw-r--r-- | ext/gd/gd_ctx.c | 7 | ||||
| -rw-r--r-- | ext/gd/tests/bug66339.phpt | 31 |
2 files changed, 37 insertions, 1 deletions
diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c index 36208811b6..46331d8a8f 100644 --- a/ext/gd/gd_ctx.c +++ b/ext/gd/gd_ctx.c @@ -137,6 +137,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, it must a filename or a stream"); RETURN_FALSE; } + } else if (argc > 1 && file != NULL) { + stream = php_stream_open_wrapper(file, "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL); + if (stream == NULL) { + RETURN_FALSE; + } } else { ctx = emalloc(sizeof(gdIOCtx)); ctx->putC = _php_image_output_putc; @@ -184,7 +189,7 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, q = i; } if (image_type == PHP_GDIMG_TYPE_XBM) { - (*func_p)(im, file, q, ctx); + (*func_p)(im, file ? file : "", q, ctx); } else { (*func_p)(im, q, ctx); } diff --git a/ext/gd/tests/bug66339.phpt b/ext/gd/tests/bug66339.phpt new file mode 100644 index 0000000000..a5ef5c6915 --- /dev/null +++ b/ext/gd/tests/bug66339.phpt @@ -0,0 +1,31 @@ +--TEST-- +Bug #66339 (PHP segfaults in imagexbm) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +?> +--FILE-- +<?php +$im = imagecreate(8, 8); +imagecolorallocate($im, 0, 0, 0); // background +$white = imagecolorallocate($im, 255, 255, 255); +imagefilledrectangle($im, 2, 2, 6, 6, $white); +imagexbm($im, NULL); +echo "------------\n"; +imagexbm($im, './bug66339.xbm'); +echo file_get_contents('./bug66339.xbm'); +?> +--CLEAN-- +<?php +unlink('./bug66339.xbm'); +?> +--EXPECT-- +#define image_width 8 +#define image_height 8 +static unsigned char image_bits[] = { + 0xFF, 0xFF, 0x83, 0x83, 0x83, 0x83, 0x83, 0xFF}; +------------ +#define bug66339_width 8 +#define bug66339_height 8 +static unsigned char bug66339_bits[] = { + 0xFF, 0xFF, 0x83, 0x83, 0x83, 0x83, 0x83, 0xFF}; |