[PHP-CVS] cvs: php-src(PHP_5_1) / NEWS /ext/gd/libgd gd.c gd_gd2.c gd_gif_in.c gd_gif_out.c

Thu, 10 Aug 2006 11:54:47 -0700 

iliaa           Thu Aug 10 18:34:22 2006 UTC

  Modified files:              (Branch: PHP_5_1)
    /php-src    NEWS 
    /php-src/ext/gd/libgd       gd.c gd_gd2.c gd_gif_in.c gd_gif_out.c 
  Log:
  MFH: Fixed bug #38112 (corrupted gif segfaults) (Pierre)
  
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.563&r2=1.2027.2.564&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.563 php-src/NEWS:1.2027.2.564
--- php-src/NEWS:1.2027.2.563   Thu Aug 10 17:16:35 2006
+++ php-src/NEWS        Thu Aug 10 18:34:22 2006
@@ -8,6 +8,7 @@
 - Fixed bug #38322 (reading past array in sscanf() leads to arbitary code
   execution). (Tony)
 - Fixed bug #38125 (undefined reference to spl_dual_it_free_storage). (Marcus)
+- Fixed bug #38112 (corrupted gif segfaults) (Pierre)
 - Fixed bug #37587 (var without attribute causes segfault). (Marcus)
 - Fixed bug #37576 (FastCGI env (cgi vars) table overflow). (Piotr)
 - Fixed bug #37496 (FastCGI output buffer overrun). (Piotr, Dmitry)
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd.c?r1=1.90.2.1&r2=1.90.2.2&diff_format=u
Index: php-src/ext/gd/libgd/gd.c
diff -u php-src/ext/gd/libgd/gd.c:1.90.2.1 php-src/ext/gd/libgd/gd.c:1.90.2.2
--- php-src/ext/gd/libgd/gd.c:1.90.2.1  Fri Sep 30 20:48:05 2005
+++ php-src/ext/gd/libgd/gd.c   Thu Aug 10 18:34:22 2006
@@ -2161,7 +2161,7 @@
                                for (x = 0; (x < w); x++) {
                                        int c = gdImageGetPixel (src, srcX + x, 
srcY + y);
                                        if (c != src->transparent) {
-                                               gdImageSetPixel (dst, dstX + x, 
dstY + y, gdTrueColor(src->red[c], src->green[c], src->blue[c]));
+                                               gdImageSetPixel(dst, dstX + x, 
dstY + y, gdTrueColorAlpha(src->red[c], src->green[c], src->blue[c], 
src->alpha[c]));
                                        }
                                }
                        }
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gd2.c?r1=1.16.4.1&r2=1.16.4.2&diff_format=u
Index: php-src/ext/gd/libgd/gd_gd2.c
diff -u php-src/ext/gd/libgd/gd_gd2.c:1.16.4.1 
php-src/ext/gd/libgd/gd_gd2.c:1.16.4.2
--- php-src/ext/gd/libgd/gd_gd2.c:1.16.4.1      Thu Aug 18 12:54:43 2005
+++ php-src/ext/gd/libgd/gd_gd2.c       Thu Aug 10 18:34:22 2006
@@ -430,6 +430,10 @@
 
        gdImagePtr im;
 
+       if (w<1 || h <1) {
+               return 0;
+       }
+
        /* The next few lines are basically copied from gd2CreateFromFile
         * we change the file size, so don't want to use the code directly.
         * but we do need to know the file size.
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.5.4.4&r2=1.5.4.5&diff_format=u
Index: php-src/ext/gd/libgd/gd_gif_in.c
diff -u php-src/ext/gd/libgd/gd_gif_in.c:1.5.4.4 
php-src/ext/gd/libgd/gd_gif_in.c:1.5.4.5
--- php-src/ext/gd/libgd/gd_gif_in.c:1.5.4.4    Mon May  8 11:56:14 2006
+++ php-src/ext/gd/libgd/gd_gif_in.c    Thu Aug 10 18:34:22 2006
@@ -185,18 +185,15 @@
 
                bitPixel = 1<<((buf[8]&0x07)+1);
 
+               if (!(im = gdImageCreate(imw, imh))) {
+                       return 0;
+               }
 
+               im->interlace = BitSet(buf[8], INTERLACE);
                if (! useGlobalColormap) {
-                       if (ReadColorMap(fd, bitPixel, localColorMap)) {
+                      if (ReadColorMap(fd, bitPixel, localColorMap)) {
                                  return 0;
                        }
-                          }
-
-                          if (!(im = gdImageCreate(imw, imh))) {
-                                  return 0;
-                          }
-               im->interlace = BitSet(buf[8], INTERLACE);
-               if (! useGlobalColormap) {
                        ReadImage(im, fd, imw, imh, localColorMap,
                                  BitSet(buf[8], INTERLACE));
                                  /*1.4//imageCount != imageNumber); */
@@ -217,6 +214,10 @@
        if (!im) {
                return 0;
        }
+       if (!im->colorsTotal) {
+               gdImageDestroy(im);
+               return 0;
+       }
        /* Check for open colors at the end, so
           we can reduce colorsTotal and ultimately
           BitsPerPixel */
@@ -507,6 +508,18 @@
        int             v;
        int             xpos = 0, ypos = 0, pass = 0;
        int i;
+
+       /*
+       **  Initialize the Compression routines
+       */
+       if (! ReadOK(fd,&c,1)) {
+               return;
+       }
+
+       if (c > MAX_LWZ_BITS) {
+               return;
+       }
+
        /* Stash the color map into the image */
        for (i=0; (i<gdMaxColors); i++) {
                im->red[i] = cmap[CM_RED][i];
@@ -516,12 +529,7 @@
        }
        /* Many (perhaps most) of these colors will remain marked open. */
        im->colorsTotal = gdMaxColors;
-       /*
-       **  Initialize the Compression routines
-       */
-       if (! ReadOK(fd,&c,1)) {
-               return;
-       }
+
        if (LWZReadByte(fd, TRUE, c) < 0) {
                return;
        }
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_out.c?r1=1.1.6.1&r2=1.1.6.2&diff_format=u
Index: php-src/ext/gd/libgd/gd_gif_out.c
diff -u php-src/ext/gd/libgd/gd_gif_out.c:1.1.6.1 
php-src/ext/gd/libgd/gd_gif_out.c:1.1.6.2
--- php-src/ext/gd/libgd/gd_gif_out.c:1.1.6.1   Mon Mar 13 21:56:38 2006
+++ php-src/ext/gd/libgd/gd_gif_out.c   Thu Aug 10 18:34:22 2006
@@ -265,9 +265,11 @@
         int InitCodeSize;
         int i;
        GifCtx ctx;
+       
+       memset(&ctx, 0, sizeof(ctx));
         ctx.Interlace = GInterlace;
        ctx.in_count = 1;
-       memset(&ctx, 0, sizeof(ctx));
+
         ColorMapSize = 1 << BitsPerPixel;
 
         RWidth = ctx.Width = GWidth;

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to