From f061867fd385109861d128ae6f3e2484fc4daa72 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 18 Apr 2016 23:31:03 -0700 Subject: [PATCH] Fix bug #71952: Corruption inside imageaffinematrixget --- NEWS | 3 +++ ext/gd/gd.c | 5 ++++- ext/gd/tests/bug71952.phpt | 14 ++++++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 ext/gd/tests/bug71952.phpt diff --git a/NEWS b/NEWS index dbc0f733d8f..58b8631d1d3 100644 --- a/NEWS +++ b/NEWS @@ -16,6 +16,9 @@ PHP NEWS - Date: . Fixed bug #71889 (DateInterval::format Segmentation fault). (Thomas Punt) +- GD: + . Fixed bug #71952 (Corruption inside imageaffinematrixget). (Stas) + - OCI8: . Fixed bug #71422 (Fix ORA-01438: value larger than specified precision allowed for this column). (Chris Jones) diff --git a/ext/gd/gd.c b/ext/gd/gd.c index b7203e7b8cf..df0a32f1ab3 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -5362,7 +5362,10 @@ PHP_FUNCTION(imageaffinematrixget) php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number is expected as option"); RETURN_FALSE; } - convert_to_double_ex(&options); + if(Z_TYPE_P(options) != IS_DOUBLE) { + Z_ADDREF_P(options); + convert_to_double_ex(&options); + } angle = Z_DVAL_P(options); if (type == GD_AFFINE_SHEAR_HORIZONTAL) { diff --git a/ext/gd/tests/bug71952.phpt b/ext/gd/tests/bug71952.phpt new file mode 100644 index 00000000000..f1f66bf26d0 --- /dev/null +++ b/ext/gd/tests/bug71952.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #71952 (Corruption inside imageaffinematrixget) +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +string(200) "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ No newline at end of file