scottmac Wed Dec 10 13:30:12 2008 UTC Added files: /php-src/ext/gd/tests imagerotate_overflow.phpt
Modified files: /php-src/ext/gd/libgd gd.c Log: Fix segfault and potential security issue in imagerotate(). http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd.c?r1=1.115&r2=1.116&diff_format=u Index: php-src/ext/gd/libgd/gd.c diff -u php-src/ext/gd/libgd/gd.c:1.115 php-src/ext/gd/libgd/gd.c:1.116 --- php-src/ext/gd/libgd/gd.c:1.115 Thu Jul 31 09:23:59 2008 +++ php-src/ext/gd/libgd/gd.c Wed Dec 10 13:30:11 2008 @@ -3129,7 +3129,7 @@ return NULL; } - if (!gdImageTrueColor(src) && clrBack>=gdImageColorsTotal(src)) { + if (!gdImageTrueColor(src) && (clrBack < 0 || clrBack>=gdImageColorsTotal(src))) { return NULL; } http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/imagerotate_overflow.phpt?view=markup&rev=1.1 Index: php-src/ext/gd/tests/imagerotate_overflow.phpt +++ php-src/ext/gd/tests/imagerotate_overflow.phpt --TEST-- imagerotate() overflow with negative numbers --SKIPIF-- <?php if (!extension_loaded('gd')) { die("skip gd extension not available."); } if (!function_exists('imagerotate')) { die("skip imagerotate() not available."); } ?> --FILE-- <?php $im = imagecreate(10, 10); $tmp = imagerotate ($im, 5, -9999999); var_dump($tmp); if ($tmp) { imagedestroy($tmp); } if ($im) { imagedestroy($im); } ?> --EXPECT-- bool(false) -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php