Fix Bug #68713 infinite loop / infinite free

PHP not affected (emalloc never return NULL)
Just to reduce diff with upstream and for legibility

Apply:
https://bitbucket.org/libgd/gd-libgd/commits/3c0d2203b2672b688d4d2326ff3a60b019879062
https://bitbucket.org/libgd/gd-libgd/commits/4af76c97a478d4e7c4b64e08ac67abbca7cbd0fb

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index 59fcd3533a827479278b229a1e0ae803b4c30e3f..10303032a15d55262dac96e8fa26e0589a58a4c0 100644 (file)
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -3049,8 +3049,8 @@ int gdImagePaletteToTrueColor(gdImagePtr src)
                }
        }
 
-       /* free old palette buffer */
-       for (yy = y - 1; yy >= yy - 1; yy--) {
+       /* free old palette buffer (y is sy) */
+       for (yy = 0; yy < y; yy++) {
                gdFree(src->pixels[yy]);
        }
        gdFree(src->pixels);
@@ -3067,13 +3067,11 @@ int gdImagePaletteToTrueColor(gdImagePtr src)
        return 1;
 
 clean_on_error:
-       if (y > 0) {
-
-               for (yy = y; yy >= yy - 1; y--) {
-                       gdFree(src->tpixels[y]);
-               }
-               gdFree(src->tpixels);
+       /* free new true color buffer (y is not allocated, have failed) */
+       for (yy = 0; yy < y; yy++) {
+               gdFree(src->tpixels[yy]);
        }
+       gdFree(src->tpixels);
        return 0;
 }