]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b92216b)
Fix #73279: Integer overflow in gdImageScaleBilinearPalette()
authorChristoph M. Becker <cmbecker69@gmx.de>
Mon, 10 Oct 2016 09:40:16 +0000 (11:40 +0200)
committerChristoph M. Becker <cmbecker69@gmx.de>
Mon, 10 Oct 2016 09:41:39 +0000 (11:41 +0200)
The color components are supposed to be in range 0..255, so we must not
cast them to `signed char`, what can be the default for `char`.

Port of <https://github.com/libgd/libgd/commit/77c8d359>.

NEWS patch | blob | history
ext/gd/libgd/gd_interpolation.c patch | blob | history
ext/gd/tests/bug73279.phpt [new file with mode: 0644] patch | blob
ext/gd/tests/bug73279_old.phpt [new file with mode: 0644] patch | blob

diff --git a/NEWS b/NEWS
index a41168d066cf86adfa7b7ee590ad4c83deaf8160..9fc658ec7b1e5ad43912a48ed9c6d251c0fad8bc 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ PHP                                                                        NEWS
   . Fixed bug #73213 (Integer overflow in imageline() with antialiasing). (cmb)
   . Fixed bug #73272 (imagescale() is not affected by, but affects
     imagesetinterpolation()). (cmb)
+  . Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()). (cmb)
 
 - Standard:
   . Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb)
diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c
index 4c11213a8eb71a92c32b64e0829ceaaf1ec972be..1c151b55090d4225eae1b32df406e67d6f07f7e8 100644 (file)
--- a/ext/gd/libgd/gd_interpolation.c
+++ b/ext/gd/libgd/gd_interpolation.c
@@ -1331,10 +1331,10 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int
                        f_a4 = gd_itofx(gdTrueColorGetAlpha(pixel4));
 
                        {
-                               const char red = (char) gd_fxtoi(gd_mulfx(f_w1, f_r1) + gd_mulfx(f_w2, f_r2) + gd_mulfx(f_w3, f_r3) + gd_mulfx(f_w4, f_r4));
-                               const char green = (char) gd_fxtoi(gd_mulfx(f_w1, f_g1) + gd_mulfx(f_w2, f_g2) + gd_mulfx(f_w3, f_g3) + gd_mulfx(f_w4, f_g4));
-                               const char blue = (char) gd_fxtoi(gd_mulfx(f_w1, f_b1) + gd_mulfx(f_w2, f_b2) + gd_mulfx(f_w3, f_b3) + gd_mulfx(f_w4, f_b4));
-                               const char alpha = (char) gd_fxtoi(gd_mulfx(f_w1, f_a1) + gd_mulfx(f_w2, f_a2) + gd_mulfx(f_w3, f_a3) + gd_mulfx(f_w4, f_a4));
+                               const unsigned char red = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_r1) + gd_mulfx(f_w2, f_r2) + gd_mulfx(f_w3, f_r3) + gd_mulfx(f_w4, f_r4));
+                               const unsigned char green = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_g1) + gd_mulfx(f_w2, f_g2) + gd_mulfx(f_w3, f_g3) + gd_mulfx(f_w4, f_g4));
+                               const unsigned char blue = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_b1) + gd_mulfx(f_w2, f_b2) + gd_mulfx(f_w3, f_b3) + gd_mulfx(f_w4, f_b4));
+                               const unsigned char alpha = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_a1) + gd_mulfx(f_w2, f_a2) + gd_mulfx(f_w3, f_a3) + gd_mulfx(f_w4, f_a4));
 
                                new_img->tpixels[dst_offset_v][dst_offset_h] = gdTrueColorAlpha(red, green, blue, alpha);
                        }
diff --git a/ext/gd/tests/bug73279.phpt b/ext/gd/tests/bug73279.phpt
new file mode 100644 (file)
index 0000000..e6c6709
--- /dev/null
+++ b/ext/gd/tests/bug73279.phpt
@@ -0,0 +1,20 @@
+--TEST--\r
+Bug #73279 (Integer overflow in gdImageScaleBilinearPalette())\r
+--SKIPIF--\r
+<?php\r
+if (!extension_loaded('gd')) die('skip gd extension not available');\r
+if (!GD_BUNDLED && version_compare(GD_VERSION, '2.2.4', '<')) {\r
+    die('skip only for bundled libgd or external libgd >= 2.2.4');\r
+}\r
+?>\r
+--FILE--\r
+<?php\r
+$src = imagecreate(100, 100);\r
+imagecolorallocate($src, 255, 255, 255);\r
+$dst = imagescale($src, 200, 200, IMG_BILINEAR_FIXED);\r
+printf("color: %x\n", imagecolorat($dst, 99, 99));\r
+?>\r
+===DONE===\r
+--EXPECT--\r
+color: ffffff\r
+===DONE===\r
diff --git a/ext/gd/tests/bug73279_old.phpt b/ext/gd/tests/bug73279_old.phpt
new file mode 100644 (file)
index 0000000..0cbbec3
--- /dev/null
+++ b/ext/gd/tests/bug73279_old.phpt
@@ -0,0 +1,22 @@
+--TEST--\r
+Bug #73279 (Integer overflow in gdImageScaleBilinearPalette())\r
+--SKIPIF--\r
+<?php\r
+if (!extension_loaded('gd')) die('skip gd extension not available');\r
+if (GD_BUNDLED || version_compare(GD_VERSION, '2.2.4', '>=')) {\r
+    die('skip only for external libgd < 2.2.4');\r
+}\r
+?>\r
+--FILE--\r
+<?php\r
+$src = imagecreate(100, 100);\r
+imagecolorallocate($src, 255, 255, 255);\r
+$dst = imagescale($src, 200, 200, IMG_BILINEAR_FIXED);\r
+printf("color: %x\n", imagecolorat($dst, 99, 99));\r
+?>\r
+===DONE===\r
+--XFAIL--\r
+Bug #330 has not yet been fixed\r
+--EXPECT--\r
+color: ffffff\r
+===DONE===\r
Unnamed repository; edit this file 'description' to name the repository.