]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0b4da7e)
Fix hypothetical segfault in gdTransformAffineCopy()
authorChristoph M. Becker <cmbecker69@gmx.de>
Mon, 6 Jan 2020 12:24:07 +0000 (13:24 +0100)
committerChristoph M. Becker <cmbecker69@gmx.de>
Mon, 6 Jan 2020 12:25:11 +0000 (13:25 +0100)
This has been reported to upstream[1], but since ext/gd never calls
`gdTransformAffineCopy()` for a palette image, it is not a bug for PHP.
Therefore we apply the fix to master only.

[1] <https://github.com/libgd/libgd/issues/586>

ext/gd/libgd/gd_interpolation.c patch | blob | history

diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c
index 698e407fbfa567518b881a1b1b3d07eaa66260c9..6ea81ea61c4cadb0ef1c347c996d7ac8b9ab071e 100644 (file)
--- a/ext/gd/libgd/gd_interpolation.c
+++ b/ext/gd/libgd/gd_interpolation.c
@@ -2302,7 +2302,6 @@ int gdTransformAffineCopy(gdImagePtr dst,
        int backup_clipx1, backup_clipy1, backup_clipx2, backup_clipy2;
        register int x, y, src_offset_x, src_offset_y;
        double inv[6];
-       int *dst_p;
        gdPointF pt, src_pt;
        gdRect bbox;
        int end_x, end_y;
@@ -2365,11 +2364,18 @@ int gdTransformAffineCopy(gdImagePtr dst,
                }
        } else {
                for (y = 0; y <= end_y; y++) {
+                       unsigned char *dst_p = NULL;
+                       int *tdst_p = NULL;
+
                        pt.y = y + 0.5 + bbox.y;
                        if ((dst_y + y) < 0 || ((dst_y + y) > gdImageSY(dst) -1)) {
                                continue;
                        }
-                       dst_p = dst->tpixels[dst_y + y] + dst_x;
+                       if (dst->trueColor) {
+                               tdst_p = dst->tpixels[dst_y + y] + dst_x;
+                       } else {
+                               dst_p = dst->pixels[dst_y + y] + dst_x;
+                       }
 
                        for (x = 0; x <= end_x; x++) {
                                pt.x = x + 0.5 + bbox.x;
@@ -2378,7 +2384,11 @@ int gdTransformAffineCopy(gdImagePtr dst,
                                if ((dst_x + x) < 0 || (dst_x + x) > (gdImageSX(dst) - 1)) {
                                        break;
                                }
-                               *(dst_p++) = getPixelInterpolated(src, src_offset_x + src_pt.x, src_offset_y + src_pt.y, -1);
+                               if (dst->trueColor) {
+                                       *(tdst_p++) = getPixelInterpolated(src, src_offset_x + src_pt.x, src_offset_y + src_pt.y, -1);
+                               } else {
+                                       *(dst_p++) = getPixelInterpolated(src, src_offset_x + src_pt.x, src_offset_y + src_pt.y, -1);
+                               }
                        }
                }
        }
Unnamed repository; edit this file 'description' to name the repository.