Fix bug #70976: fix boundary check on gdImageRotateInterpolated

diff --git a/NEWS b/NEWS
index d2a2f95b9a0ee75934d5f42247f32c1c4df10834..d9fcf14df48904dd55d7ac979881bbdb099b1e9a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,10 @@ PHP                                                                        NEWS
 
 ?? ??? 2015, PHP 5.5.31
 
+- GD:
+  . Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index
+    Out of Bounds). (emmanuel dot law at gmail dot com).
+
 01 Oct 2015, PHP 5.5.30
 
 - Phar:

diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c
index 65e2360776bc22eb4eaf734941519db608f4499f..efb584c1e4c60b827a78689e308af1b3b88b4f3c 100644 (file)
--- a/ext/gd/libgd/gd_interpolation.c
+++ b/ext/gd/libgd/gd_interpolation.c
@@ -2154,7 +2154,7 @@ gdImagePtr gdImageRotateInterpolated(const gdImagePtr src, const float angle, in
 {
        const int angle_rounded = (int)floor(angle * 100);
 
-       if (bgcolor < 0) {
+       if (bgcolor < 0 || bgcolor >= gdMaxColors) {
                return NULL;
        }
 

diff --git a/ext/gd/tests/bug70976.phpt b/ext/gd/tests/bug70976.phpt
new file mode 100644 (file)
index 0000000..23af4ee
--- /dev/null
+++ b/ext/gd/tests/bug70976.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds)
+--SKIPIF--
+<?php
+       if(!extension_loaded('gd')){ die('skip gd extension not available'); }
+?>
+--FILE--
+<?php
+$img = imagerotate(imagecreate(1,1),45,0x7ffffff9);
+var_dump($img);
+?>
+--EXPECTF--
+bool(false)
\ No newline at end of file