diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2020-01-06 09:36:49 +0100 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2020-01-06 09:37:40 +0100 |
| commit | f799f42ec818659a2434dc0f7281ce755592391a (patch) | |
| tree | 728ee3f81cc72352d5575541e4815b7d6d2cf1eb | |
| parent | f4aa0869acfd871f780ecf378f84f68a4755267e (diff) | |
| parent | 2c5860517c4a1f7ebc81ef79858aa5aff5aad76c (diff) | |
| download | php-git-f799f42ec818659a2434dc0f7281ce755592391a.tar.gz | |
Merge branch 'PHP-7.3' into PHP-7.4
* PHP-7.3:
Fix #79067: gdTransformAffineCopy() may use unitialized values
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | ext/gd/libgd/gd_interpolation.c | 7 | ||||
| -rw-r--r-- | ext/gd/libgd/gd_matrix.c | 2 | ||||
| -rw-r--r-- | ext/gd/tests/bug79067.phpt | 14 |
4 files changed, 23 insertions, 3 deletions
@@ -34,6 +34,9 @@ PHP NEWS . Fixed bug #74170 (locale information change after mime_content_type). (Sergei Turchanov) +- GD: + . Fixed bug #79067 (gdTransformAffineCopy() may use unitialized values). (cmb) + - Libxml: . Fixed bug #79029 (Use After Free's in XMLReader / XMLWriter). (Laruence) diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index 015f859e2b..e6d672ec8f 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -2289,7 +2289,7 @@ int gdTransformAffineGetImage(gdImagePtr *dst, * src_area - Rectangular region to rotate in the src image * * Returns: - * GD_TRUE if the affine is rectilinear or GD_FALSE + * GD_TRUE on success or GD_FALSE on failure */ int gdTransformAffineCopy(gdImagePtr dst, int dst_x, int dst_y, @@ -2346,7 +2346,10 @@ int gdTransformAffineCopy(gdImagePtr dst, end_y = bbox.height + abs(bbox.y); /* Get inverse affine to let us work with destination -> source */ - gdAffineInvert(inv, affine); + if (gdAffineInvert(inv, affine) == GD_FALSE) { + gdImageSetInterpolationMethod(src, interpolation_id_bak); + return GD_FALSE; + } src_offset_x = src_region->x; src_offset_y = src_region->y; diff --git a/ext/gd/libgd/gd_matrix.c b/ext/gd/libgd/gd_matrix.c index 0a67f1dc26..d2dfbd2d16 100644 --- a/ext/gd/libgd/gd_matrix.c +++ b/ext/gd/libgd/gd_matrix.c @@ -55,7 +55,7 @@ int gdAffineApplyToPointF (gdPointFPtr dst, const gdPointFPtr src, * <gdAffineIdentity> * * Returns: - * GD_TRUE if the affine is rectilinear or GD_FALSE + * GD_TRUE on success or GD_FALSE on failure */ int gdAffineInvert (double dst[6], const double src[6]) { diff --git a/ext/gd/tests/bug79067.phpt b/ext/gd/tests/bug79067.phpt new file mode 100644 index 0000000000..1442b7fb56 --- /dev/null +++ b/ext/gd/tests/bug79067.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #79067 (gdTransformAffineCopy() may use unitialized values) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +?> +--FILE-- +<?php +$matrix = [1, 1, 1, 1, 1, 1]; +$src = imagecreatetruecolor(8, 8); +var_dump(imageaffine($src, $matrix)); +?> +--EXPECT-- +bool(false) |