php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-24 00:18:23 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-7.0'

Browse Source 
* PHP-7.0:
  #72482, Ilegal write/read access caused by gdImageAALine overflow
  fix #72494, improve input color check and prevent issues when old gd are used, done before gd call
  improve fix #72558, free contribRow as well
This commit is contained in:
Pierre Joye
2016-07-19 19:35:40 +07:00
parent 83d498dafd 77a71cba20
commit 439e2ae516
3 changed files with 5 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ext/gd/gd.c
+2 -2
View File
@@ -4636,8 +4636,8 @@ PHP_FUNCTION(imagecropauto)
break;
case GD_CROP_THRESHOLD:
if (color < 0) {
php_error_docref(NULL, E_WARNING, "Color argument missing with threshold mode");
if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Color argument missing with threshold mode");
RETURN_FALSE;
}
im_crop = gdImageCropThreshold(im, color, (float) threshold);
ext/gd/libgd/gd.c
+2 -47
View File
@@ -1299,55 +1299,10 @@ void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col)
long x, y, inc;
long dx, dy,tmp;
if (y1 < 0 && y2 < 0) {
/* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */
if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im))) {
return;
}
if (y1 < 0) {
x1 += (y1 * (x1 - x2)) / (y2 - y1);
y1 = 0;
}
if (y2 < 0) {
x2 += (y2 * (x1 - x2)) / (y2 - y1);
y2 = 0;
}
/* bottom edge */
if (y1 >= im->sy && y2 >= im->sy) {
return;
}
if (y1 >= im->sy) {
x1 -= ((im->sy - y1) * (x1 - x2)) / (y2 - y1);
y1 = im->sy - 1;
}
if (y2 >= im->sy) {
x2 -= ((im->sy - y2) * (x1 - x2)) / (y2 - y1);
y2 = im->sy - 1;
}
/* left edge */
if (x1 < 0 && x2 < 0) {
return;
}
if (x1 < 0) {
y1 += (x1 * (y1 - y2)) / (x2 - x1);
x1 = 0;
}
if (x2 < 0) {
y2 += (x2 * (y1 - y2)) / (x2 - x1);
x2 = 0;
}
/* right edge */
if (x1 >= im->sx && x2 >= im->sx) {
return;
}
if (x1 >= im->sx) {
y1 -= ((im->sx - x1) * (y1 - y2)) / (x2 - x1);
x1 = im->sx - 1;
}
if (x2 >= im->sx) {
y2 -= ((im->sx - x2) * (y1 - y2)) / (x2 - x1);
x2 = im->sx - 1;
}
dx = x2 - x1;
dy = y2 - y1;
ext/gd/libgd/gd_interpolation.c
+1
View File
@@ -909,6 +909,7 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
for (i=0;i<=u;i++) {
gdFree(res->ContribRow[i].Weights);
}
gdFree(res->ContribRow);
gdFree(res);
return NULL;
}