Fixed Bug #65060 imagecreatefrom... crashes with user streams
authorRemi Collet <remi@php.net>
Fri, 21 Jun 2013 12:11:04 +0000 (14:11 +0200)
committerRemi Collet <remi@php.net>
Fri, 21 Jun 2013 12:11:04 +0000 (14:11 +0200)
Fixed Bug #65084 imagecreatefromjpeg fails with URL

Regression introduced in 8a90aad (drop of USE_GD_IOCTX)
Secure with php_stream_can_cast to avoid segfault in php_stream_cast.
(encountered when imagecreatefromxpm with URL)

NEWS
ext/gd/gd.c

diff --git a/NEWS b/NEWS
index d8b74c2b9a63c9912a127cce159187d998ac05ed..577d2e40a489988eff10f21ab53cd51fa7836e5b 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,8 @@ PHP                                                                        NEWS
 - GD
   . Fixed #65070 (bgcolor does not use the same format as the input image with
     imagerotate). (Pierre)
+  . Fixed Bug #65060 (imagecreatefrom... crashes with user streams). (Remi)
+  . Fixed Bug #65084 (imagecreatefromjpeg fails with URL). (Remi)
 
 20 Jun 2013, PHP 5.5.0
 
index 4ebac94fcb398a226e3e1645041f23651ee05eab..21aa9e27274a6a11a25e27a8b0098ac21476715b 100644 (file)
@@ -2361,13 +2361,12 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type,
                }
        }
 
+
        stream = php_stream_open_wrapper(file, "rb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL);
        if (stream == NULL)     {
                RETURN_FALSE;
        }
 
-       ioctx_func_p = NULL; /* don't allow sockets without IOCtx */
-
        if (image_type == PHP_GDIMG_TYPE_WEBP) {
                size_t buff_size;
                char *buff;
@@ -2419,7 +2418,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type,
                io_ctx->gd_free(io_ctx);
                pefree(buff, 1);
        }
-       else {
+       else if (php_stream_can_cast(stream, PHP_STREAM_AS_STDIO)) {
                /* try and force the stream to be FILE* */
                if (FAILURE == php_stream_cast(stream, PHP_STREAM_AS_STDIO | PHP_STREAM_CAST_TRY_HARD, (void **) &fp, REPORT_ERRORS)) {
                        goto out_err;