Fixed bug #53492 (fix crash if anti-aliasing steps are invalid).

diff --git a/NEWS b/NEWS
index d86da2d9c314f4d1ac7d4fa8612b022e20ea3841..f836c6876048d7e045a65e5736420d7ec3da9c1c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,21 +1,18 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-?? ??? 2010, PHP 5.2.15
-
-02 Dec 2010, PHP 5.2.15RC2
+09 Dec 2010, PHP 5.2.15
 - Fixed extract() to do not overwrite $GLOBALS and $this when using
-  EXTR_OVERWRITE. (jorto at redhat dot com)
-
-18 Nov 2010, PHP 5.2.15RC1
+  EXTR_OVERWRITE. (jorto at redhat dot com)  
 - Fixed crash in zip extract method (possible CWE-170). 
   (Maksymilian Arciemowicz, Pierre)
 - Fixed a possible double free in imap extension (Identified by Mateusz 
   Kocielski). (CVE-2010-4150). (Ilia)
 - Fixed possible flaw in open_basedir (CVE-2010-3436). (Pierre)
 - Fixed possible crash in mssql_fetch_batch(). (Kalle)
-
 - Fixed NULL pointer dereference in ZipArchive::getArchiveComment.
   (CVE-2010-3709). (Maksymilian Arciemowicz)
+
+- Fixed bug #53492 (fix crash if anti-aliasing steps are invalid). (Pierre)
 - Fixed bug #53323 (pdo_firebird getAttribute() crash).
   (preeves at ibphoenix dot com)
 - Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index ccbe3c136a32416d03bb6e9c0a546a74f2d43155..8588e1279888fb5be11c62e42b9eb170a454acf0 100644 (file)
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -4593,6 +4593,11 @@ PHP_FUNCTION(imagepstext)
                return;
        }
 
+       if (aa_steps != 4 || aa_steps != 16) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "AA steps must be 4 or 16");
+               RETURN_FALSE;
+       }
+
        ZEND_FETCH_RESOURCE(bg_img, gdImagePtr, &img, -1, "Image", le_gd);
        ZEND_FETCH_RESOURCE(f_ind, int *, &fnt, -1, "Type 1 font", le_ps_font);