From 48e76abadd17a090259db77f3294d870fbc31ba5 Mon Sep 17 00:00:00 2001 From: Pierre Joye Date: Tue, 19 Jul 2016 16:33:17 +0700 Subject: improve fix #72558, free contribRow as well --- ext/gd/libgd/gd_interpolation.c | 1 + 1 file changed, 1 insertion(+) (limited to 'ext/gd') diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index 9a7789e365..fd91e56535 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -909,6 +909,7 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length, for (i=0;i<=u;i++) { gdFree(res->ContribRow[i].Weights); } + gdFree(res->ContribRow); gdFree(res); return NULL; } -- cgit v1.2.1 From 1d69028d2f15216d128b5a6e606f763ef09d4991 Mon Sep 17 00:00:00 2001 From: Pierre Joye Date: Tue, 19 Jul 2016 18:23:51 +0700 Subject: fix #72494, improve input color check and prevent issues when old gd are used, done before gd call --- ext/gd/gd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ext/gd') diff --git a/ext/gd/gd.c b/ext/gd/gd.c index b843bda98d..533dc502ca 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -5116,7 +5116,7 @@ PHP_FUNCTION(imagecropauto) break; case GD_CROP_THRESHOLD: - if (color < 0) { + if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Color argument missing with threshold mode"); RETURN_FALSE; } -- cgit v1.2.1 From b25009fc2c97c6b5a93b3fc5f6a5b221b62f1273 Mon Sep 17 00:00:00 2001 From: Pierre Joye Date: Tue, 19 Jul 2016 19:34:07 +0700 Subject: #72482, Ilegal write/read access caused by gdImageAALine overflow --- ext/gd/libgd/gd.c | 49 ++----------------------------------------------- 1 file changed, 2 insertions(+), 47 deletions(-) (limited to 'ext/gd') diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c index fc63cd379c..49867b1f2a 100644 --- a/ext/gd/libgd/gd.c +++ b/ext/gd/libgd/gd.c @@ -1301,55 +1301,10 @@ void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col) long x, y, inc; long dx, dy,tmp; - if (y1 < 0 && y2 < 0) { - return; - } - if (y1 < 0) { - x1 += (y1 * (x1 - x2)) / (y2 - y1); - y1 = 0; - } - if (y2 < 0) { - x2 += (y2 * (x1 - x2)) / (y2 - y1); - y2 = 0; - } - - /* bottom edge */ - if (y1 >= im->sy && y2 >= im->sy) { - return; - } - if (y1 >= im->sy) { - x1 -= ((im->sy - y1) * (x1 - x2)) / (y2 - y1); - y1 = im->sy - 1; - } - if (y2 >= im->sy) { - x2 -= ((im->sy - y2) * (x1 - x2)) / (y2 - y1); - y2 = im->sy - 1; - } - - /* left edge */ - if (x1 < 0 && x2 < 0) { - return; - } - if (x1 < 0) { - y1 += (x1 * (y1 - y2)) / (x2 - x1); - x1 = 0; - } - if (x2 < 0) { - y2 += (x2 * (y1 - y2)) / (x2 - x1); - x2 = 0; - } - /* right edge */ - if (x1 >= im->sx && x2 >= im->sx) { + /* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */ + if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im))) { return; } - if (x1 >= im->sx) { - y1 -= ((im->sx - x1) * (y1 - y2)) / (x2 - x1); - x1 = im->sx - 1; - } - if (x2 >= im->sx) { - y2 -= ((im->sx - x2) * (y1 - y2)) / (x2 - x1); - x2 = im->sx - 1; - } dx = x2 - x1; dy = y2 - y1; -- cgit v1.2.1