Fix bug #71952: Corruption inside imageaffinematrixget

author Stanislav Malyshev <stas@php.net>

Tue, 19 Apr 2016 06:31:03 +0000 (23:31 -0700)

committer Stanislav Malyshev <stas@php.net>

Tue, 19 Apr 2016 06:33:21 +0000 (23:33 -0700)
author Stanislav Malyshev <stas@php.net>
Tue, 19 Apr 2016 06:31:03 +0000 (23:31 -0700)
committer Stanislav Malyshev <stas@php.net>
Tue, 19 Apr 2016 06:33:21 +0000 (23:33 -0700)
diff --git a/NEWS b/NEWS

index dbc0f733d8f4971f2bd2996c4fda5c2384586ac6..58b8631d1d30a48a871d415450b74fd5bded9a17 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,9 @@ PHP                                                                        NEWS
  - Date:
    . Fixed bug #71889 (DateInterval::format Segmentation fault). (Thomas Punt)
  
+- GD: 
+  . Fixed bug #71952 (Corruption inside imageaffinematrixget). (Stas)
+
  - OCI8:
    . Fixed bug #71422 (Fix ORA-01438: value larger than specified precision
      allowed for this column). (Chris Jones)
diff --git a/ext/gd/gd.c b/ext/gd/gd.c

index b7203e7b8cf7e43c09a641af108879662c7e16f1..df0a32f1ab3938fdecb08e6aee08ebcce29ffa75 100644 (file)
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -5362,7 +5362,10 @@ PHP_FUNCTION(imageaffinematrixget)
                                 php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number is expected as option");
                                 RETURN_FALSE;
                         }
-                       convert_to_double_ex(&options);
+                       if(Z_TYPE_P(options) != IS_DOUBLE) {
+                               Z_ADDREF_P(options);
+                               convert_to_double_ex(&options);
+                       }
                         angle = Z_DVAL_P(options);
  
                         if (type == GD_AFFINE_SHEAR_HORIZONTAL) {
diff --git a/ext/gd/tests/bug71952.phpt b/ext/gd/tests/bug71952.phpt

new file mode 100644 (file)

index 0000000..f1f66bf
--- /dev/null
+++ b/ext/gd/tests/bug71952.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #71952 (Corruption inside imageaffinematrixget)
+--SKIPIF--
+<?php
+       if(!extension_loaded('gd')){ die('skip gd extension not available'); }
+?>
+--FILE--
+<?php
+$vals=[str_repeat("A","200"),0,1,2,3,4,5,6,7,8,9];
+imageaffinematrixget(4,$vals[0]);
+var_dump($vals[0]);
+?>
+--EXPECTF--
+string(200) "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+\ No newline at end of file
author	Stanislav Malyshev <stas@php.net>
	Tue, 19 Apr 2016 06:31:03 +0000 (23:31 -0700)
committer	Stanislav Malyshev <stas@php.net>
	Tue, 19 Apr 2016 06:33:21 +0000 (23:33 -0700)
NEWS		patch \| blob \| history
ext/gd/gd.c		patch \| blob \| history
ext/gd/tests/bug71952.phpt	[new file with mode: 0644]	patch \| blob