diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2020-01-06 09:35:13 +0100 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2020-01-06 09:35:13 +0100 |
| commit | 2c5860517c4a1f7ebc81ef79858aa5aff5aad76c (patch) | |
| tree | 47a546da523e752d082265d3a37bc0be0bb9ea66 | |
| parent | c05a069adfcca56763d5db06afce8801382477a5 (diff) | |
| download | php-git-2c5860517c4a1f7ebc81ef79858aa5aff5aad76c.tar.gz | |
Fix #79067: gdTransformAffineCopy() may use unitialized values
We port
<https://github.com/libgd/libgd/commit/7a06c1669c563917bc48c464521e3de962ddb4e8>.
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/gd/libgd/gd_interpolation.c | 7 | ||||
| -rw-r--r-- | ext/gd/libgd/gd_matrix.c | 2 | ||||
| -rw-r--r-- | ext/gd/tests/bug79067.phpt | 14 |
4 files changed, 21 insertions, 3 deletions
@@ -24,6 +24,7 @@ PHP NEWS - GD: . Fixed bug #78923 (Artifacts when convoluting image with transparency). (wilson chen) + . Fixed bug #79067 (gdTransformAffineCopy() may use unitialized values). (cmb) - Libxml: . Fixed bug #79029 (Use After Free's in XMLReader / XMLWriter). (Laruence) diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index 86549a279d..489f3c9694 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -2334,7 +2334,7 @@ int gdTransformAffineGetImage(gdImagePtr *dst, * src_area - Rectangular region to rotate in the src image * * Returns: - * GD_TRUE if the affine is rectilinear or GD_FALSE + * GD_TRUE on success or GD_FALSE on failure */ int gdTransformAffineCopy(gdImagePtr dst, int dst_x, int dst_y, @@ -2393,7 +2393,10 @@ int gdTransformAffineCopy(gdImagePtr dst, end_y = bbox.height + (int) fabs(bbox.y); /* Get inverse affine to let us work with destination -> source */ - gdAffineInvert(inv, affine); + if (gdAffineInvert(inv, affine) == GD_FALSE) { + gdImageSetInterpolationMethod(src, interpolation_id_bak); + return GD_FALSE; + } src_offset_x = src_region->x; src_offset_y = src_region->y; diff --git a/ext/gd/libgd/gd_matrix.c b/ext/gd/libgd/gd_matrix.c index 0a67f1dc26..d2dfbd2d16 100644 --- a/ext/gd/libgd/gd_matrix.c +++ b/ext/gd/libgd/gd_matrix.c @@ -55,7 +55,7 @@ int gdAffineApplyToPointF (gdPointFPtr dst, const gdPointFPtr src, * <gdAffineIdentity> * * Returns: - * GD_TRUE if the affine is rectilinear or GD_FALSE + * GD_TRUE on success or GD_FALSE on failure */ int gdAffineInvert (double dst[6], const double src[6]) { diff --git a/ext/gd/tests/bug79067.phpt b/ext/gd/tests/bug79067.phpt new file mode 100644 index 0000000000..1442b7fb56 --- /dev/null +++ b/ext/gd/tests/bug79067.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #79067 (gdTransformAffineCopy() may use unitialized values) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +?> +--FILE-- +<?php +$matrix = [1, 1, 1, 1, 1, 1]; +$src = imagecreatetruecolor(8, 8); +var_dump(imageaffine($src, $matrix)); +?> +--EXPECT-- +bool(false) |