diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2016-10-25 15:14:22 +0200 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2016-11-01 13:03:41 +0100 |
| commit | 1b5543b8ab22b85c14546649057475fce2083fbd (patch) | |
| tree | 0213e0a5aeb7ab858d3bfaacbb9c8a946ef5ad13 /ext/gd/tests | |
| parent | 7cf7920055d44da72529b4277e6890c99cf1932e (diff) | |
| download | php-git-1b5543b8ab22b85c14546649057475fce2083fbd.tar.gz | |
Fix #72482: Ilegal write/read access caused by gdImageAALine overflow
Instead of rolling our own bounds check we use clip_1d() as it's done
in gdImageLine() and in external libgd. We must not pass the image
width and height, respectively, but rather the largest ordinate value
that is allowed to be accessed, i.e. width-1 and height-1,
respectively.
(cherry picked from commit 6499581af76cfe986e12330faabb3a7c36d45ffc)
Diffstat (limited to 'ext/gd/tests')
| -rw-r--r-- | ext/gd/tests/bug72482.phpt | 19 | ||||
| -rw-r--r-- | ext/gd/tests/bug72482_2.phpt | 21 | ||||
| -rw-r--r-- | ext/gd/tests/bug72482_2.png | bin | 0 -> 118 bytes |
3 files changed, 40 insertions, 0 deletions
diff --git a/ext/gd/tests/bug72482.phpt b/ext/gd/tests/bug72482.phpt new file mode 100644 index 0000000000..548921d559 --- /dev/null +++ b/ext/gd/tests/bug72482.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #72482 (Ilegal write/read access caused by gdImageAALine overflow) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +?> +--FILE-- +<?php +$img = imagecreatetruecolor(13, 1007); +imageantialias($img, true); +imageline($img, 0, 0, 1073745919, 1073745919, 4096); + +$img = imagecreatetruecolor(100, 100); +imageantialias($img, true); +imageline($img, 1094795585, 0, 2147483647, 255, 0xff); +?> +===DONE=== +--EXPECT-- +===DONE=== diff --git a/ext/gd/tests/bug72482_2.phpt b/ext/gd/tests/bug72482_2.phpt new file mode 100644 index 0000000000..a8a08faa53 --- /dev/null +++ b/ext/gd/tests/bug72482_2.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug 72482 (Ilegal write/read access caused by gdImageAALine overflow) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +?> +--FILE-- +<?php +require_once __DIR__ . DIRECTORY_SEPARATOR . 'func.inc'; + +$im = imagecreatetruecolor(10, 10); +imagefilledrectangle($im, 0, 0, 9, 9, imagecolorallocate($im, 255, 255, 255)); +imageantialias($im, true); +imageline($im, 0, 0, 10, 10, imagecolorallocate($im, 0, 0, 0)); + +test_image_equals_file(__DIR__ . DIRECTORY_SEPARATOR . 'bug72482_2.png', $im); +?> +===DONE=== +--EXPECT-- +The images are equal. +===DONE=== diff --git a/ext/gd/tests/bug72482_2.png b/ext/gd/tests/bug72482_2.png Binary files differnew file mode 100644 index 0000000000..da90b2a267 --- /dev/null +++ b/ext/gd/tests/bug72482_2.png |
