scottmac Wed Dec 10 13:33:10 2008 UTC
Added files: (Branch: PHP_5_2)
/php-src/ext/gd/tests imagerotate_overflow.phpt
Modified files:
/php-src/ext/gd/libgd gd.c
Log:
MFH Fix segfault and potential security issue in imagerotate().
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd.c?r1=1.90.2.1.2.23&r2=1.90.2.1.2.24&diff_format=u
Index: php-src/ext/gd/libgd/gd.c
diff -u php-src/ext/gd/libgd/gd.c:1.90.2.1.2.23
php-src/ext/gd/libgd/gd.c:1.90.2.1.2.24
--- php-src/ext/gd/libgd/gd.c:1.90.2.1.2.23 Thu Jul 31 09:22:17 2008
+++ php-src/ext/gd/libgd/gd.c Wed Dec 10 13:33:10 2008
@@ -3136,7 +3136,7 @@
return NULL;
}
- if (!gdImageTrueColor(src) && clrBack>=gdImageColorsTotal(src)) {
+ if (!gdImageTrueColor(src) && (clrBack < 0 ||
clrBack>=gdImageColorsTotal(src))) {
return NULL;
}
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/imagerotate_overflow.phpt?view=markup&rev=1.1
Index: php-src/ext/gd/tests/imagerotate_overflow.phpt
+++ php-src/ext/gd/tests/imagerotate_overflow.phpt
--TEST--
imagerotate() overflow with negative numbers
--SKIPIF--
<?php
if (!extension_loaded('gd')) {
die("skip gd extension not available.");
}
if (!function_exists('imagerotate')) {
die("skip imagerotate() not available.");
}
?>
--FILE--
<?php
$im = imagecreate(10, 10);
$tmp = imagerotate ($im, 5, -9999999);
var_dump($tmp);
if ($tmp) {
imagedestroy($tmp);
}
if ($im) {
imagedestroy($im);
}
?>
--EXPECT--
bool(false)
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
