We must not pass values to `gdImageScale()` which cannot be represented
by an `unsigned int`. Instead we return FALSE, according to what we
already did for negative integers.
* 'PHP-7.1' of git.php.net:/php-src:
Update NEWS
Fixed bug #75571: Potential infinite loop in gdImageCreateFromGifCtx
Fix bug #74782: remove file name from output to avoid XSS
Due to a signedness confusion in `GetCode_` a corrupt GIF file can
trigger an infinite loop. Furthermore we make sure that a GIF without
any palette entries is treated as invalid *after* open palette entries
have been removed.
We apply the respective patches from external libgd, work around the
still missing `gdImageClone()`, and fix the special cased rotation
routines according to Pierre's patch
(https://gist.github.com/pierrejoye/59d72385ed1888cf8894a7ed437235ae).
We also cater to bug73272.phpt whose result obviously changes a bit.
We back-port https://github.com/libgd/libgd/commit/dd48286 even though
we cannot come up with a regression test, because the erroneous
condition appears to be impossible to trigger.
We also parenthesize the inner ternary operation to avoid confusion.
We have to make sure to avoid alpha-blending issues by explicitly
switching to `gdEffectReplace` and to restore the old value afterwards.
This is a port of <https://github.com/libgd/libgd/commit/a7a7ece>.
The last (`IDAT`) chunk in this file starting at `0x5e265` reports to
have a length of `0x2000` bytes, but there are only `0x1D9B` bytes
left. Simply cutting the first `IDAT` chunk which starts at `0x31` and
also reports a length of `0x2000` at the same offset should produce the
same test results (while reducing the file size to 7.628 bytes).
This bug had already been fixed, but apparently there's no regression
test yet, so we add one.
Note that the expected image has black pixel artifacts, which are
another issue (perhaps bug #40158), and would have to be adressed
separately.
We must take into account the line padding, when we're reading XBM
files.
We deliberately ignore the potential integer overflow here, because
that would be caught by gdImageCreate() or even earlier if `bytes==0`,
what happens in libgd00094.phpt which we adapt accordingly.
GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.
(cherry picked from commit 5b5d9db3988b829e0b121b74bb3947f01c2796a1)
We must not pretend that there are image data if there are none. Instead
we fail reading the image file gracefully.
(cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab)
