From: Scott MacVicar <scottmac@php.net>
Date: Wed, 10 Dec 2008 13:30:12 +0000 (+0000)
Subject: Fix segfault and potential security issue in imagerotate().
X-Git-Tag: php-5.4.0alpha1~191^2~4839
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=29ab16ee674d45da2ae9c3cbb929e45c69d93bb4;p=php

Fix segfault and potential security issue in imagerotate().
---

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index ebfae80dcc..1f65e4469f 100644
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -3129,7 +3129,7 @@ gdImagePtr gdImageRotate (gdImagePtr src, double dAngle, int clrBack, int ignore
 		return NULL;
 	}
 
-	if (!gdImageTrueColor(src) && clrBack>=gdImageColorsTotal(src)) {
+	if (!gdImageTrueColor(src) && (clrBack < 0 || clrBack>=gdImageColorsTotal(src))) {
 		return NULL;
 	}
 
diff --git a/ext/gd/tests/imagerotate_overflow.phpt b/ext/gd/tests/imagerotate_overflow.phpt
new file mode 100644
index 0000000000..ade61d8f80
--- /dev/null
+++ b/ext/gd/tests/imagerotate_overflow.phpt
@@ -0,0 +1,32 @@
+--TEST--
+imagerotate() overflow with negative numbers
+--SKIPIF--
+<?php
+	if (!extension_loaded('gd')) {
+		die("skip gd extension not available.");
+	}
+
+	if (!function_exists('imagerotate')) {
+		die("skip imagerotate() not available.");
+	}
+?>
+--FILE--
+<?php
+
+$im = imagecreate(10, 10);
+
+$tmp = imagerotate ($im, 5, -9999999);
+
+var_dump($tmp);
+
+if ($tmp) {
+        imagedestroy($tmp);
+}
+
+if ($im) {
+        imagedestroy($im);
+}
+
+?>
+--EXPECT--
+bool(false)