The stack overflow is caused by the recursive algorithm in combination with a
very large negative coordinate passed to gdImageFillToBorder(). As there is
already a clipping for large positive coordinates to the width and height of
the image, it seems to be consequent to clip to zero also.
Contrary to imagefilledrectangle(), imagerectangle() has the documented
limitation that the given points have to be the upper left and the lower right
corner, respectively. However, libgd already caters to upper right / lower left
pairs, and not catering to the other two combinations seems to be an oversight.
The code in the bundled libgd uses libvpx and writes the riff manually. The
code generates the correct even size, but neglects the padding. It's possible
older versions of libwebp would decode this, but libwebp 0.4.0 does not.
Let's apply the patch supplied by one of the WebP developers.
Contrary to the external libgd, the bundled libgd doesn't use optimized
rotation algorithms for negative square angles. We fix that now.
There are other improvements in gdImageRotateInterpolated() in the external
libgd. I'll leave them out for now, in the hope that we'll be able to rejoin
the two libraries rather soon.
imagescale(..., IMG_BICUBIC) is not supposed to work with palette images, so we
fix that by converting to true color if necessary. Basically the same fix has
already been applied to the external libgd[1].
[1] <723ea520be>
To avoid drawing the corner pixels twice, gdImageRectangle() draws the vertical
lines 2 points shorter than the actual side of the rectangle. However, this
causes "whiskers" for rectangles with height 0. This patch fixes this issue and
at the same time optimizes the algorithm by drawing only a single line for zero
height and zero width rectangles.
Actually, this is not really a bug fix, but rather a simplification and
optimization in the same vein as has been done with the external libgd, but
going a small step further and joining both for loops.
The file parameter of the XBM image ZPP is not properly taken into account. If
it is NULL that would result in a segfault, because gdImageXbmCtx() is not
prepared to take a NULL file_name. If it is not NULL the XBM data would be
written to STDOUT, because the stream is not initialized. This patch fixes both
issues.
* PHP-5.5: (27 commits)
fix non-standard C
update NEWS
5.4.41 next
fix CVE num
update NEWS
Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode)
fix test
fix type in fix for #69085
fix memory leak & add test
Fix tests
fix CVE num
Fix bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability)
Fix test
Additional fix for bug #69324
More fixes for bug #69152
Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions)
Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar)
Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER)
Fix bug #68486 and bug #69218 (segfault in apache2handler with apache 2.4)
Fix bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault)
...
Conflicts:
ext/standard/http_fopen_wrapper.c
Some environments, apparently regardless to the freetype version, output 155, while others 156. I guess we can accept both ;)
This reverts commit 592df89027.
* PHP-5.5:
Fix bug #67248 (imageaffinematrixget missing check of parameters)
Fix bug #67247 spl_fixedarray_resize integer overflow
fix news
add tests stuff to README
Updated NEWS
Fix Linux specific fail in error traces (cherry-picked and fix for bug #67245) Linux apparently does not like memcpy in overlapping regions...
This amends commit 8f4a537, which aimed to correct NULL dereference because of
missing check of gdImageCreateTrueColor() / gdImageCreate() return value. That
commit checks for negative crop rectangle width and height, but
gdImageCreate*() can also return NULL when width * height overflows. Hence
NULL deref is still possible, as gdImageSaveAlpha() and gdImagePaletteCopy()
is called before dst == NULL check.
This moves NULL check to happen right after gdImageCreate*(). It also removes
width and height check before gdImageCreate*(), as the same check is done by
image create functions (with an extra warning).
From thoger redhat com
Summary:
This caused issues when you picked a font with multiple maps, it wouldn't
pick the unicode version but instead pick the last one it saw. Change so
we cache on a per encoding level. There was even a todo list item in the code.
In an ideal world we can probably iterate through at font write time.
Test Plan:
See said unit test, it's Apache Licensed font included
Initial fix was PHP stuff
This one is libgd fix.
- filter invalid crop size
- dont try to copy on invalid position
- fix crop size when out of src image
- fix possible NULL deref
- fix possible integer overfloow
