Fix bug #70976: fix boundary check on gdImageRotateInterpolated

author Stanislav Malyshev <stas@php.net>

Tue, 8 Dec 2015 07:30:49 +0000 (23:30 -0800)

committer Anatol Belski <ab@php.net>

Mon, 4 Jan 2016 16:37:40 +0000 (17:37 +0100)
author Stanislav Malyshev <stas@php.net>
Tue, 8 Dec 2015 07:30:49 +0000 (23:30 -0800)
committer Anatol Belski <ab@php.net>
Mon, 4 Jan 2016 16:37:40 +0000 (17:37 +0100)
diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c

index f70169dddcf379612b52b54977e72a28567f50ce..0f874ac4cbde9c1581bd81569a799c3c1b794273 100644 (file)
--- a/ext/gd/libgd/gd_interpolation.c
+++ b/ext/gd/libgd/gd_interpolation.c
@@ -2162,7 +2162,7 @@ gdImagePtr gdImageRotateInterpolated(const gdImagePtr src, const float angle, in
  {
         const int angle_rounded = (int)floor(angle * 100);
  
-       if (bgcolor < 0) {
+       if (bgcolor < 0 || bgcolor >= gdMaxColors) {
                 return NULL;
         }
  
diff --git a/ext/gd/tests/bug70976.phpt b/ext/gd/tests/bug70976.phpt

new file mode 100644 (file)

index 0000000..23af4ee
--- /dev/null
+++ b/ext/gd/tests/bug70976.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds)
+--SKIPIF--
+<?php
+       if(!extension_loaded('gd')){ die('skip gd extension not available'); }
+?>
+--FILE--
+<?php
+$img = imagerotate(imagecreate(1,1),45,0x7ffffff9);
+var_dump($img);
+?>
+--EXPECTF--
+bool(false)
+\ No newline at end of file
author	Stanislav Malyshev <stas@php.net>
	Tue, 8 Dec 2015 07:30:49 +0000 (23:30 -0800)
committer	Anatol Belski <ab@php.net>
	Mon, 4 Jan 2016 16:37:40 +0000 (17:37 +0100)
ext/gd/libgd/gd_interpolation.c		patch \| blob \| history
ext/gd/tests/bug70976.phpt	[new file with mode: 0644]	patch \| blob