From 8f5eda4bf62ca0e1ba6459b42fb5c0b629774cb2 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Sat, 24 Sep 2016 12:36:54 +0200
Subject: [PATCH] Fix #73161: imagecreatefromgd2() may leak memory

---
 NEWS                       |   1 +
 ext/gd/libgd/gd_gd2.c      |  10 +++++-----
 ext/gd/tests/bug73161.gd2  | Bin 0 -> 26 bytes
 ext/gd/tests/bug73161.phpt |  18 ++++++++++++++++++
 4 files changed, 24 insertions(+), 5 deletions(-)
 create mode 100644 ext/gd/tests/bug73161.gd2
 create mode 100644 ext/gd/tests/bug73161.phpt

diff --git a/NEWS b/NEWS
index a7a71846bb2..3863bdaa266 100644
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,7 @@ PHP                                                                        NEWS
   . Fixed bug #73155 (imagegd2() writes wrong chunk sizes on boundaries). (cmb)
   . Fixed bug #73159 (imagegd2(): unrecognized formats may result in corrupted
     files). (cmb)
+  . Fixed bug #73161 (imagecreatefromgd2() may leak memory). (cmb)
 
 - Mbstring:
   . Fixed bug #72994 (mbc_to_code() out of bounds read). (Laruence, cmb)
diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index 57d5844510f..d06f328425e 100644
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -191,21 +191,21 @@ static gdImagePtr _gd2CreateFromFile (gdIOCtxPtr in, int *sx, int *sy, int *cs,
 	}
 	if (im == NULL) {
 		GD2_DBG(php_gd_error("Could not create gdImage"));
-		goto fail1;
+		goto fail2;
 	}
 
 	if (!_gdGetColors(in, im, (*vers) == 2)) {
 		GD2_DBG(php_gd_error("Could not read color palette"));
-		goto fail2;
+		goto fail3;
 	}
 	GD2_DBG(php_gd_error("Image palette completed: %d colours", im->colorsTotal));
 
 	return im;
 
-fail2:
+fail3:
 	gdImageDestroy(im);
-	return 0;
-
+fail2:
+	gdFree(*cidx);
 fail1:
 	return 0;
 }
diff --git a/ext/gd/tests/bug73161.gd2 b/ext/gd/tests/bug73161.gd2
new file mode 100644
index 0000000000000000000000000000000000000000..f5084e49769947b128beaa8f312f595c7330d5eb
GIT binary patch
literal 26
acmYdKF=Aj~VsHRM76wKjWMGg7Vs!u}_yP<7

literal 0
HcmV?d00001

diff --git a/ext/gd/tests/bug73161.phpt b/ext/gd/tests/bug73161.phpt
new file mode 100644
index 00000000000..42ad7186064
--- /dev/null
+++ b/ext/gd/tests/bug73161.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #73161 (imagecreatefromgd2() may leak memory)
+--DESCRIPTION--
+We're testing for a memory leak that might not even show up with valgrind.
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$im = imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73161.gd2');
+var_dump($im);
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
+bool(false)
+===DONE===