diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-12-07 23:30:49 -0800 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2016-01-05 13:33:50 +0100 |
| commit | 4b8394dd78571826ac66a69dc240c623f31d78f8 (patch) | |
| tree | 863aa94b682d7003fdc1612441f914d4fc18d753 | |
| parent | 2721a0148649e07ed74468f097a28899741eb58f (diff) | |
| download | php-git-4b8394dd78571826ac66a69dc240c623f31d78f8.tar.gz | |
Fix bug #70976: fix boundary check on gdImageRotateInterpolated
| -rw-r--r-- | ext/gd/libgd/gd_interpolation.c | 2 | ||||
| -rw-r--r-- | ext/gd/tests/bug70976.phpt | 13 |
2 files changed, 14 insertions, 1 deletions
diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index f70169dddc..0f874ac4cb 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -2162,7 +2162,7 @@ gdImagePtr gdImageRotateInterpolated(const gdImagePtr src, const float angle, in { const int angle_rounded = (int)floor(angle * 100); - if (bgcolor < 0) { + if (bgcolor < 0 || bgcolor >= gdMaxColors) { return NULL; } diff --git a/ext/gd/tests/bug70976.phpt b/ext/gd/tests/bug70976.phpt new file mode 100644 index 0000000000..23af4eedc7 --- /dev/null +++ b/ext/gd/tests/bug70976.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds) +--SKIPIF-- +<?php + if(!extension_loaded('gd')){ die('skip gd extension not available'); } +?> +--FILE-- +<?php +$img = imagerotate(imagecreate(1,1),45,0x7ffffff9); +var_dump($img); +?> +--EXPECTF-- +bool(false)
\ No newline at end of file |