From: Pierre Joye <pierre.php@gmail.com>
Date: Tue, 19 Jul 2016 06:37:23 +0000 (+0700)
Subject: fix #72512, invalid read or write for palette image when invalid transparent index... 
X-Git-Tag: php-7.1.0beta1~31^2^2^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0fbcff1b35c1005b8d2cdfd33184867912d9d83a;p=php

fix #72512, invalid read or write for palette image when invalid transparent index is used
---

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index 4dad95ae39..927ecc5439 100644
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -599,15 +599,18 @@ void gdImageColorDeallocate (gdImagePtr im, int color)
 
 void gdImageColorTransparent (gdImagePtr im, int color)
 {
+	if (color < 0) {
+		return;
+	}
 	if (!im->trueColor) {
+		if((color >= im->colorsTotal)) {
+			return;
+		}
+		/* Make the old transparent color opaque again */
 		if (im->transparent != -1) {
 			im->alpha[im->transparent] = gdAlphaOpaque;
 		}
-		if (color > -1 && color < im->colorsTotal && color < gdMaxColors) {
-			im->alpha[color] = gdAlphaTransparent;
-		} else {
-			return;
-		}
+		im->alpha[color] = gdAlphaTransparent;
 	}
 	im->transparent = color;
 }
diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c
index 4fa23f0a14..81ea88525a 100644
--- a/ext/gd/libgd/gd_interpolation.c
+++ b/ext/gd/libgd/gd_interpolation.c
@@ -1225,7 +1225,13 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int
 	if (new_img == NULL) {
 		return NULL;
 	}
-	new_img->transparent = gdTrueColorAlpha(im->red[transparent], im->green[transparent], im->blue[transparent], im->alpha[transparent]);
+
+	if (transparent < 0) {
+		/* uninitialized */
+		new_img->transparent = -1;
+	} else {
+		new_img->transparent = gdTrueColorAlpha(im->red[transparent], im->green[transparent], im->blue[transparent], im->alpha[transparent]);
+	}
 
 	for (i=0; i < _height; i++) {
 		long j;
diff --git a/ext/gd/tests/bug72512.phpt b/ext/gd/tests/bug72512.phpt
new file mode 100644
index 0000000000..2a2024d4cb
--- /dev/null
+++ b/ext/gd/tests/bug72512.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #19366 (gdimagefill() function crashes (fixed in bundled libgd))
+--SKIPIF--
+<?php
+	if (!extension_loaded('gd')) die("skip gd extension not available\n");
+?>
+--FILE--
+<?php
+$img = imagecreatetruecolor(100, 100);
+imagecolortransparent($img, -1000000);
+imagetruecolortopalette($img, TRUE, 3);
+imagecolortransparent($img, 9);
+echo "OK";
+?>
+--EXPECT--
+OK
+