Fix segfault and potential security issue in imagerotate().

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index ebfae80dcc1a10f27db888e266ef20dfafd77269..1f65e4469f24f9332e2df03af478e11514e3d1b6 100644 (file)
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -3129,7 +3129,7 @@ gdImagePtr gdImageRotate (gdImagePtr src, double dAngle, int clrBack, int ignore
                return NULL;
        }
 
-       if (!gdImageTrueColor(src) && clrBack>=gdImageColorsTotal(src)) {
+       if (!gdImageTrueColor(src) && (clrBack < 0 || clrBack>=gdImageColorsTotal(src))) {
                return NULL;
        }
 

diff --git a/ext/gd/tests/imagerotate_overflow.phpt b/ext/gd/tests/imagerotate_overflow.phpt
new file mode 100644 (file)
index 0000000..ade61d8
--- /dev/null
+++ b/ext/gd/tests/imagerotate_overflow.phpt
@@ -0,0 +1,32 @@
+--TEST--
+imagerotate() overflow with negative numbers
+--SKIPIF--
+<?php
+       if (!extension_loaded('gd')) {
+               die("skip gd extension not available.");
+       }
+
+       if (!function_exists('imagerotate')) {
+               die("skip imagerotate() not available.");
+       }
+?>
+--FILE--
+<?php
+
+$im = imagecreate(10, 10);
+
+$tmp = imagerotate ($im, 5, -9999999);
+
+var_dump($tmp);
+
+if ($tmp) {
+        imagedestroy($tmp);
+}
+
+if ($im) {
+        imagedestroy($im);
+}
+
+?>
+--EXPECT--
+bool(false)