Fix #55005: imagepolygon num_points requirement

We actually have to check `$num_points` instead of `2*count($points)`,
because the latter may be greater than the former, but not all elements
of `$points` are guaranteed to be used.  This allowed to pass arrays
with excess elements to draw polygons with less than three vertices.

While the current implementation of `gdImagePolygon()` and friends
would allow us to draw monogons and digons, we don't allow that
anymore, because the respective drawing primitives work slightly
different (e.g. drawing lines support anti-aliasing, but drawing
general polygons does not).

To minimize the BC break, we do not fix this longstanding issue for PHP
7, but target PHP 8 only.

diff --git a/NEWS b/NEWS
index 102295dd7d1cf222f29c136480190036a7961fe6..3b85ad87736c85c05f2bd0603fde8f13d261d23c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,7 @@ PHP                                                                        NEWS
     that allow global flag to configure query() or evaluate() calls.
 
 - GD:
+  . Fixed bug #55005 (imagepolygon num_points requirement). (cmb)
   . Replaced gd resources with objects. (Mark Randall)
   . Removed deprecated image2wbmp(). (cmb)
   . Removed deprecated png2wbmp() and jpeg2wbmp(). (cmb)

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 989a78cb0bce6a6a382a154b07e5ded40d010033..cc7472742040c4f209532d0d1c6d5ec448cdf58f 100644 (file)
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -2745,13 +2745,8 @@ static void php_imagepolygon(INTERNAL_FUNCTION_PARAMETERS, int filled)
        col = COL;
 
        nelem = zend_hash_num_elements(Z_ARRVAL_P(POINTS));
-       if (nelem < 6) {
-               zend_value_error("You must have at least 3 points in your array");
-               return;
-       }
-
-       if (npoints <= 0) {
-               zend_value_error("You must give a positive number of points");
+       if (npoints < 3) {
+               zend_value_error("Polygon must have at least 3 points");
                return;
        }
 

diff --git a/ext/gd/tests/bug55005.phpt b/ext/gd/tests/bug55005.phpt
new file mode 100644 (file)
index 0000000..a48d924
--- /dev/null
+++ b/ext/gd/tests/bug55005.phpt
@@ -0,0 +1,21 @@
+--TEST--\r
+Bug #55005 (imagepolygon num_points requirement)\r
+--SKIPIF--\r
+<?php\r
+if (!extension_loaded('gd')) die('skip gd extension not available');\r
+?>\r
+--FILE--\r
+<?php\r
+require_once __DIR__ . '/func.inc';\r
+\r
+$g = imagecreate(300, 300);\r
+$bgnd = imagecolorallocate($g, 255, 255, 255);\r
+$fgnd = imagecolorallocate($g, 0, 0, 0);\r
+trycatch_dump(\r
+    fn () => imagefilledpolygon($g, array(100,10, 100,100, 180,100), 2, $fgnd),\r
+    fn () => imagepolygon($g, array(200,10, 200,100, 280,100), 2, $fgnd)\r
+);\r
+?>\r
+--EXPECT--\r
+!! [ValueError] Polygon must have at least 3 points\r
+!! [ValueError] Polygon must have at least 3 points\r

diff --git a/ext/gd/tests/imagefilledpolygon_negative.phpt b/ext/gd/tests/imagefilledpolygon_negative.phpt
deleted file mode 100644 (file)
index 165fa1c..0000000
--- a/ext/gd/tests/imagefilledpolygon_negative.phpt
+++ /dev/null
@@ -1,21 +0,0 @@
---TEST--
-imagefilledpolygon() with a negative num of points
---SKIPIF--
-<?php
-       if (!function_exists('imagefilledpolygon')) die('skip imagefilledpolygon() not available');
-?>
---FILE--
-<?php
-require __DIR__ . '/func.inc';
-
-$im = imagecreate(100, 100);
-$black = imagecolorallocate($im, 0, 0, 0);
-
-trycatch_dump(
-    fn() => imagefilledpolygon($im, array(0, 0, 0, 0, 0, 0), -1, $black)
-);
-
-imagedestroy($im);
-?>
---EXPECT--
-!! [ValueError] You must give a positive number of points

diff --git a/ext/gd/tests/imagepolygon_negative.phpt b/ext/gd/tests/imagepolygon_negative.phpt
deleted file mode 100644 (file)
index 96b2e75..0000000
--- a/ext/gd/tests/imagepolygon_negative.phpt
+++ /dev/null
@@ -1,21 +0,0 @@
---TEST--
-imagepolygon() with a negative num of points
---SKIPIF--
-<?php
-       if (!function_exists('imagepolygon')) die('skip imagepolygon() not available');
-?>
---FILE--
-<?php
-require __DIR__ . '/func.inc';
-
-$im = imagecreate(100, 100);
-$black = imagecolorallocate($im, 0, 0, 0);
-
-trycatch_dump(
-    fn() => imagepolygon($im, array(0, 0, 0, 0, 0, 0), -1, $black)
-);
-
-imagedestroy($im);
-?>
---EXPECT--
-!! [ValueError] You must give a positive number of points