scottmac Wed Dec 10 13:33:10 2008 UTC Added files: (Branch: PHP_5_2) /php-src/ext/gd/tests imagerotate_overflow.phpt
Modified files: /php-src/ext/gd/libgd gd.c Log: MFH Fix segfault and potential security issue in imagerotate(). http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd.c?r1=1.90.2.1.2.23&r2=1.90.2.1.2.24&diff_format=u Index: php-src/ext/gd/libgd/gd.c diff -u php-src/ext/gd/libgd/gd.c:1.90.2.1.2.23 php-src/ext/gd/libgd/gd.c:1.90.2.1.2.24 --- php-src/ext/gd/libgd/gd.c:1.90.2.1.2.23 Thu Jul 31 09:22:17 2008 +++ php-src/ext/gd/libgd/gd.c Wed Dec 10 13:33:10 2008 @@ -3136,7 +3136,7 @@ return NULL; } - if (!gdImageTrueColor(src) && clrBack>=gdImageColorsTotal(src)) { + if (!gdImageTrueColor(src) && (clrBack < 0 || clrBack>=gdImageColorsTotal(src))) { return NULL; } http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/imagerotate_overflow.phpt?view=markup&rev=1.1 Index: php-src/ext/gd/tests/imagerotate_overflow.phpt +++ php-src/ext/gd/tests/imagerotate_overflow.phpt --TEST-- imagerotate() overflow with negative numbers --SKIPIF-- <?php if (!extension_loaded('gd')) { die("skip gd extension not available."); } if (!function_exists('imagerotate')) { die("skip imagerotate() not available."); } ?> --FILE-- <?php $im = imagecreate(10, 10); $tmp = imagerotate ($im, 5, -9999999); var_dump($tmp); if ($tmp) { imagedestroy($tmp); } if ($im) { imagedestroy($im); } ?> --EXPECT-- bool(false) -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php