diff options
| author | Christoph M. Becker <cmb@php.net> | 2016-08-02 18:53:54 +0200 |
|---|---|---|
| committer | Christoph M. Becker <cmb@php.net> | 2016-08-02 18:56:35 +0200 |
| commit | 3d0002ed369602c4eb8c37ee69b1eb947fd9fa56 (patch) | |
| tree | 5e3c3d43a1bddf9fa5d14b1033e39db4f91bbcef | |
| parent | 02fce3ecea252c7916a8bcc76195d9c68fb939d4 (diff) | |
| parent | 3a8c027ec383811ed8a61e3db604d89b5efa58d6 (diff) | |
| download | php-git-3d0002ed369602c4eb8c37ee69b1eb947fd9fa56.tar.gz | |
Merge branch 'PHP-7.0' into PHP-7.1
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | ext/gd/gd.c | 9 | ||||
| -rw-r--r-- | ext/gd/tests/bug72709.phpt | 18 |
3 files changed, 29 insertions, 1 deletions
@@ -26,6 +26,9 @@ PHP NEWS . Fixed bug #72658 (Locale::lookup() / locale_lookup() hangs if no match found). (Anatol) +- GD: + . Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles). (cmb) + - mbstring: . Fixed bug #72691 (mb_ereg_search raises a warning if a match zero-width). (cmb) diff --git a/ext/gd/gd.c b/ext/gd/gd.c index 119bc8fec4..d0eea0bd0b 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -1444,6 +1444,7 @@ PHP_FUNCTION(imagesetstyle) gdImagePtr im; int *stylearr; int index = 0; + uint32_t num_styles; if (zend_parse_parameters(ZEND_NUM_ARGS(), "ra", &IM, &styles) == FAILURE) { return; @@ -1453,8 +1454,14 @@ PHP_FUNCTION(imagesetstyle) RETURN_FALSE; } + num_styles = zend_hash_num_elements(Z_ARRVAL_P(styles)); + if (num_styles == 0) { + php_error_docref(NULL, E_WARNING, "styles array must not be empty"); + RETURN_FALSE; + } + /* copy the style values in the stylearr */ - stylearr = safe_emalloc(sizeof(int), zend_hash_num_elements(Z_ARRVAL_P(styles)), 0); + stylearr = safe_emalloc(sizeof(int), num_styles, 0); ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(styles), item) { stylearr[index++] = zval_get_long(item); diff --git a/ext/gd/tests/bug72709.phpt b/ext/gd/tests/bug72709.phpt new file mode 100644 index 0000000000..1c5b1f4ae0 --- /dev/null +++ b/ext/gd/tests/bug72709.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #72709 (imagesetstyle() causes OOB read for empty $styles) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip ext/gd not available'); +?> +--FILE-- +<?php +$im = imagecreatetruecolor(1, 1); +var_dump(imagesetstyle($im, array())); +imagesetpixel($im, 0, 0, IMG_COLOR_STYLED); +imagedestroy($im); +?> +====DONE==== +--EXPECTF-- +Warning: imagesetstyle(): styles array must not be empty in %s%ebug72709.php on line %d +bool(false) +====DONE==== |