From: Stanislav Malyshev <stas@php.net>
Date: Mon, 12 May 2014 01:14:57 +0000 (-0700)
Subject: Fix bug #67248 (imageaffinematrixget missing check of parameters)
X-Git-Tag: php-5.5.13RC1~10
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=291b45afb5d5716ff0d340bd2bcb34731b806eed;p=php

Fix bug #67248 (imageaffinematrixget missing check of parameters)
---

diff --git a/NEWS b/NEWS
index c5757ccef9..5ee5c567a6 100644
--- a/NEWS
+++ b/NEWS
@@ -33,6 +33,9 @@ PHP                                                                        NEWS
   . Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
     (Julio Pintos)
 
+- GD:
+  . Fixed bug #67248 (imageaffinematrixget missing check of parameters). (Stas)
+
 - PCRE:
   . Fixed bug #67238 (Ungreedy and min/max quantifier bug, applied patch
     from the upstream). (Anatol)
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 90a053535a..cbc7219e37 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -5268,7 +5268,7 @@ PHP_FUNCTION(imageaffinematrixget)
 {
 	double affine[6];
 	long type;
-	zval *options;
+	zval *options = NULL;
 	zval **tmp;
 	int res = GD_FALSE, i;
 
@@ -5280,7 +5280,7 @@ PHP_FUNCTION(imageaffinematrixget)
 		case GD_AFFINE_TRANSLATE:
 		case GD_AFFINE_SCALE: {
 			double x, y;
-			if (Z_TYPE_P(options) != IS_ARRAY) {
+			if (!options || Z_TYPE_P(options) != IS_ARRAY) {
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Array expected as options");
 				RETURN_FALSE;
 			}
@@ -5327,6 +5327,10 @@ PHP_FUNCTION(imageaffinematrixget)
 		case GD_AFFINE_SHEAR_VERTICAL: {
 			double angle;
 
+			if (!options) {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number is expected as option");
+				RETURN_FALSE;
+			}
 			convert_to_double_ex(&options);
 			angle = Z_DVAL_P(options);
 
diff --git a/ext/gd/tests/bug67248.phpt b/ext/gd/tests/bug67248.phpt
new file mode 100644
index 0000000000..9c83966a60
--- /dev/null
+++ b/ext/gd/tests/bug67248.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #67248 (imageaffinematrixget missing check of parameters)
+--SKIPIF--
+<?php
+        if(!extension_loaded('gd')){ die('skip gd extension not available')}
+        if(!function_exists('imageaffinematrixget')) die('skip imageaffinematrixget() not available');
+?>
+--FILE--
+<?php
+for($i=0;$i<7;$i++) {
+	imageaffinematrixget($i);
+}
+?>
+--EXPECTF--
+Warning: imageaffinematrixget(): Array expected as options in %s on line %d
+
+Warning: imageaffinematrixget(): Array expected as options in %s on line %d
+
+Warning: imageaffinematrixget(): Number is expected as option in %s on line %d
+
+Warning: imageaffinematrixget(): Number is expected as option in %s on line %d
+
+Warning: imageaffinematrixget(): Number is expected as option in %s on line %d
+
+Warning: imageaffinematrixget(): Invalid type for element 5 in %s on line %d
+
+Warning: imageaffinematrixget(): Invalid type for element 6 in %s on line %d