diff options
| author | Pierre Joye <pierre.php@gmail.com> | 2016-07-19 13:39:46 +0700 |
|---|---|---|
| committer | Ferenc Kovacs <tyra3l@gmail.com> | 2016-07-21 02:08:53 +0200 |
| commit | 210222928e52b95827a0b5e4a987303233597f89 (patch) | |
| tree | 9ab563a118ab74dbb192d43f00c4454999a880f9 | |
| parent | a3564c4b5bfa94424fcd7df2400c23f1ca7fb4af (diff) | |
| download | php-git-210222928e52b95827a0b5e4a987303233597f89.tar.gz | |
Merge branch 'PHP-5.5' into PHP-5.6
* PHP-5.5:
fix #72512, invalid read or write for palette image when invalid transparent index is used
| -rw-r--r-- | ext/gd/libgd/gd.c | 13 | ||||
| -rw-r--r-- | ext/gd/libgd/gd_interpolation.c | 8 | ||||
| -rw-r--r-- | ext/gd/tests/bug72512.phpt | 17 |
3 files changed, 32 insertions, 6 deletions
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c index 3a7ca3639f..98e6080560 100644 --- a/ext/gd/libgd/gd.c +++ b/ext/gd/libgd/gd.c @@ -599,15 +599,18 @@ void gdImageColorDeallocate (gdImagePtr im, int color) void gdImageColorTransparent (gdImagePtr im, int color) { + if (color < 0) { + return; + } if (!im->trueColor) { + if((color >= im->colorsTotal)) { + return; + } + /* Make the old transparent color opaque again */ if (im->transparent != -1) { im->alpha[im->transparent] = gdAlphaOpaque; } - if (color > -1 && color < im->colorsTotal && color < gdMaxColors) { - im->alpha[color] = gdAlphaTransparent; - } else { - return; - } + im->alpha[color] = gdAlphaTransparent; } im->transparent = color; } diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index 8162b7e113..b9c4c2878e 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -1266,7 +1266,13 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int if (new_img == NULL) { return NULL; } - new_img->transparent = gdTrueColorAlpha(im->red[transparent], im->green[transparent], im->blue[transparent], im->alpha[transparent]); + + if (transparent < 0) { + /* uninitialized */ + new_img->transparent = -1; + } else { + new_img->transparent = gdTrueColorAlpha(im->red[transparent], im->green[transparent], im->blue[transparent], im->alpha[transparent]); + } for (i=0; i < _height; i++) { long j; diff --git a/ext/gd/tests/bug72512.phpt b/ext/gd/tests/bug72512.phpt new file mode 100644 index 0000000000..2a2024d4cb --- /dev/null +++ b/ext/gd/tests/bug72512.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #19366 (gdimagefill() function crashes (fixed in bundled libgd)) +--SKIPIF-- +<?php + if (!extension_loaded('gd')) die("skip gd extension not available\n"); +?> +--FILE-- +<?php +$img = imagecreatetruecolor(100, 100); +imagecolortransparent($img, -1000000); +imagetruecolortopalette($img, TRUE, 3); +imagecolortransparent($img, 9); +echo "OK"; +?> +--EXPECT-- +OK + |