- check max colors while loading gd2 palette image (patch by Tomas Hoger)

diff --git a/ext/gd/libgd/gd_gd.c b/ext/gd/libgd/gd_gd.c
index 55587d43e851f742e54ee362feb59a7221343fa0..81a957d4141e5d915c05b6b5109dc56d8f905d68 100644 (file)
--- a/ext/gd/libgd/gd_gd.c
+++ b/ext/gd/libgd/gd_gd.c
@@ -39,6 +39,9 @@ int _gdGetColors (gdIOCtx * in, gdImagePtr im, int gd2xFlag)
                        if (!gdGetWord(&im->colorsTotal, in)) {
                                goto fail1;
                        }
+                       if (im->colorsTotal > gdMaxColors) {
+                               goto fail1;
+                       }
                }
                /* Int to accommodate truecolor single-color transparency */
                if (!gdGetInt(&im->transparent, in)) {

diff --git a/ext/gd/tests/crafted.gd2 b/ext/gd/tests/crafted.gd2
new file mode 100644 (file)
index 0000000..45c944c
Binary files /dev/null and b/ext/gd/tests/crafted.gd2 differ

diff --git a/ext/gd/tests/crafted_gd2.phpt b/ext/gd/tests/crafted_gd2.phpt
new file mode 100644 (file)
index 0000000..7bcbc4e
--- /dev/null
+++ b/ext/gd/tests/crafted_gd2.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Test max colors for a gd image.
+--SKIPIF--
+<?php
+       if (!extension_loaded('gd')) {
+               die("skip gd extension not available\n");
+       }
+?>
+--FILE--
+<?php
+imagecreatefromgd(dirname(__FILE__) . '/crafted.gd2');
+?>
+--EXPECTF--
+
+Warning: imagecreatefromgd(): '%scrafted.gd2' is not a valid GD file in %s on line %d
+