From f67d599a0179d0895170c77188847ae60b497714 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Sat, 21 Jan 2017 01:21:03 +0100
Subject: [PATCH] Fix #73968: Premature failing of XBM reading

We must take into account the line padding, when we're reading XBM
files.

We deliberately ignore the potential integer overflow here, because
that would be caught by gdImageCreate() or even earlier if `bytes==0`,
what happens in libgd00094.phpt which we adapt accordingly.
---
 NEWS                         |  3 +++
 ext/gd/libgd/xbm.c           |  2 +-
 ext/gd/tests/bug73968.phpt   | 15 +++++++++++++++
 ext/gd/tests/bug73968.xbm    |  5 +++++
 ext/gd/tests/libgd00094.phpt |  3 ---
 5 files changed, 24 insertions(+), 4 deletions(-)
 create mode 100644 ext/gd/tests/bug73968.phpt
 create mode 100644 ext/gd/tests/bug73968.xbm

diff --git a/NEWS b/NEWS
index 2c403ebb8fc..d96e7bec902 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,9 @@ PHP                                                                        NEWS
   . Fixed bug #67583 (double fastcgi_end_request on max_children limit).
     (Dmitry Saprykin)
 
+- GD:
+  . Fixed bug #73968 (Premature failing of XBM reading). (cmb)
+
 - GMP:
   . Fixed bug #69993 (test for gmp.h needs to test machine includes).
     (Jordan Gigov) 
diff --git a/ext/gd/libgd/xbm.c b/ext/gd/libgd/xbm.c
index 88d27a9c93d..044159db12c 100644
--- a/ext/gd/libgd/xbm.c
+++ b/ext/gd/libgd/xbm.c
@@ -77,7 +77,7 @@ gdImagePtr gdImageCreateFromXbm(FILE * fd)
 				max_bit = 32768;
 			}
 			if (max_bit) {
-				bytes = (width * height / 8) + 1;
+				bytes = (width + 7) / 8 * height;
 				if (!bytes) {
 					return 0;
 				}
diff --git a/ext/gd/tests/bug73968.phpt b/ext/gd/tests/bug73968.phpt
new file mode 100644
index 00000000000..fd17fe26ba9
--- /dev/null
+++ b/ext/gd/tests/bug73968.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #73968 (Premature failing of XBM reading)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$im = imagecreatefromxbm(__DIR__ . DIRECTORY_SEPARATOR . 'bug73968.xbm');
+var_dump($im);
+?>
+===DONE===
+--EXPECTF--
+resource(%d) of type (gd)
+===DONE===
diff --git a/ext/gd/tests/bug73968.xbm b/ext/gd/tests/bug73968.xbm
new file mode 100644
index 00000000000..f427d86a54b
--- /dev/null
+++ b/ext/gd/tests/bug73968.xbm
@@ -0,0 +1,5 @@
+#define test_width 10
+#define test_height 10
+static unsigned char test_bits[] = {
+  0xFF, 0x03, 0x00, 0x00, 0xFF, 0x03, 0x00, 0x00, 0xFF, 0x03, 0x00, 0x00, 
+  0xFF, 0x03, 0x00, 0x00, 0xFF, 0x03, 0x00, 0x00};
diff --git a/ext/gd/tests/libgd00094.phpt b/ext/gd/tests/libgd00094.phpt
index d1d68eab041..d06afc47294 100644
--- a/ext/gd/tests/libgd00094.phpt
+++ b/ext/gd/tests/libgd00094.phpt
@@ -11,9 +11,6 @@ $im = imagecreatefromxbm(dirname(__FILE__) . '/libgd00094.xbm');
 var_dump($im);
 ?>
 --EXPECTF--
-Warning: imagecreatefromxbm(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
- in %slibgd00094.php on line %d
-
 Warning: imagecreatefromxbm(): '%slibgd00094.xbm' is not a valid XBM file in %slibgd00094.php on line %d
 bool(false)