- libgd #101, imagecreatefromgd can crash if gdImageCreate fails

diff --git a/ext/gd/libgd/gd_gd.c b/ext/gd/libgd/gd_gd.c
index 2d259cdd514e3d3c2bce96be6ecc94f1bc9d0266..55587d43e851f742e54ee362feb59a7221343fa0 100644 (file)
--- a/ext/gd/libgd/gd_gd.c
+++ b/ext/gd/libgd/gd_gd.c
@@ -122,6 +122,9 @@ static gdImagePtr _gdCreateFromFile (gdIOCtx * in, int *sx, int *sy)
        } else {
                im = gdImageCreate(*sx, *sy);
        }
+       if(!im) {
+               goto fail1;
+       }
        if (!_gdGetColors(in, im, gd2xFlag)) {
                goto fail2;
        }

diff --git a/ext/gd/tests/libgd00101.gd b/ext/gd/tests/libgd00101.gd
new file mode 100644 (file)
index 0000000..5516ce0
--- /dev/null
+++ b/ext/gd/tests/libgd00101.gd
@@ -0,0 +1 @@
+ÿýÿý
\ No newline at end of file

diff --git a/ext/gd/tests/libgd00101.phpt b/ext/gd/tests/libgd00101.phpt
new file mode 100644 (file)
index 0000000..1c6623d
--- /dev/null
+++ b/ext/gd/tests/libgd00101.phpt
@@ -0,0 +1,18 @@
+--TEST--
+libgd #101 (imagecreatefromgd can crash if gdImageCreate fails)
+--SKIPIF--
+<?php
+       if (!extension_loaded('gd')) die("skip gd extension not available\n");
+       if (!GD_BUNDLED) die("skip requires bundled GD library\n");
+?>
+--FILE--
+<?php
+$im = imagecreatefromgd(dirname(__FILE__) . '/libgd00101.gd');
+var_dump($im);
+?>
+--EXPECTF--
+Warning: imagecreatefromgd(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+ in %slibgd00101.php on line %d
+
+Warning: imagecreatefromgd(): '%slibgd00101.gd' is not a valid GD file in %slibgd00101.php on line %d
+bool(false)