Fix bug#72697 - select_colors write out-of-bounds

(cherry picked from commit b6f13a5ef9d6280cf984826a5de012a32c396cd4)

Conflicts:
	ext/gd/gd.c

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index c952ee9b5a97f7004a02eff67e759eaf00dbd62a..0346a74634b09c1399bcd5db5643b97a7f61f07e 100644 (file)
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1537,11 +1537,11 @@ PHP_FUNCTION(imagetruecolortopalette)
                RETURN_FALSE;
        }
 
-       if (ncolors <= 0) {
-               php_error_docref(NULL, E_WARNING, "Number of colors has to be greater than zero");
+       if (ncolors <= 0 || ZEND_LONG_INT_OVFL(ncolors)) {
+               php_error_docref(NULL, E_WARNING, "Number of colors has to be greater than zero and no more than %d", INT_MAX);
                RETURN_FALSE;
        }
-       gdImageTrueColorToPalette(im, dither, ncolors);
+       gdImageTrueColorToPalette(im, dither, (int)ncolors);
 
        RETURN_TRUE;
 }

diff --git a/ext/gd/tests/bug72697.phpt b/ext/gd/tests/bug72697.phpt
new file mode 100644 (file)
index 0000000..6110385
--- /dev/null
+++ b/ext/gd/tests/bug72697.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #72697: select_colors write out-of-bounds
+--SKIPIF--
+<?php 
+if (!function_exists("imagecreatetruecolor")) die("skip");
+if (PHP_INT_MAX !== 9223372036854775807) die("skip for 64-bit long systems only");
+?>
+--FILE--
+<?php
+
+$img=imagecreatetruecolor(10, 10);
+imagetruecolortopalette($img, false, PHP_INT_MAX / 8);
+?>
+DONE
+--EXPECTF--
+Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than 2147483647 in %sbug72697.php on line %d
+DONE
\ No newline at end of file