From: Christoph M. Becker <cmbecker69@gmx.de>
Date: Mon, 6 Jan 2020 08:35:13 +0000 (+0100)
Subject: Fix #79067: gdTransformAffineCopy() may use unitialized values
X-Git-Tag: php-7.3.14RC1~4
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2c5860517c4a1f7ebc81ef79858aa5aff5aad76c;p=php

Fix #79067: gdTransformAffineCopy() may use unitialized values

We port
<https://github.com/libgd/libgd/commit/7a06c1669c563917bc48c464521e3de962ddb4e8>.
---

diff --git a/NEWS b/NEWS
index b71fad0f8f..bb7dd649db 100644
--- a/NEWS
+++ b/NEWS
@@ -24,6 +24,7 @@ PHP                                                                        NEWS
 - GD:
   . Fixed bug #78923 (Artifacts when convoluting image with transparency).
     (wilson chen)
+  . Fixed bug #79067 (gdTransformAffineCopy() may use unitialized values). (cmb)
 
 - Libxml:
   . Fixed bug #79029 (Use After Free's in XMLReader / XMLWriter). (Laruence)
diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c
index 86549a279d..489f3c9694 100644
--- a/ext/gd/libgd/gd_interpolation.c
+++ b/ext/gd/libgd/gd_interpolation.c
@@ -2334,7 +2334,7 @@ int gdTransformAffineGetImage(gdImagePtr *dst,
  *  src_area - Rectangular region to rotate in the src image
  *
  * Returns:
- *  GD_TRUE if the affine is rectilinear or GD_FALSE
+ *  GD_TRUE on success or GD_FALSE on failure
  */
 int gdTransformAffineCopy(gdImagePtr dst,
 		  int dst_x, int dst_y,
@@ -2393,7 +2393,10 @@ int gdTransformAffineCopy(gdImagePtr dst,
 	end_y = bbox.height + (int) fabs(bbox.y);
 
 	/* Get inverse affine to let us work with destination -> source */
-	gdAffineInvert(inv, affine);
+	if (gdAffineInvert(inv, affine) == GD_FALSE) {
+		gdImageSetInterpolationMethod(src, interpolation_id_bak);
+		return GD_FALSE;
+	}
 
 	src_offset_x =  src_region->x;
 	src_offset_y =  src_region->y;
diff --git a/ext/gd/libgd/gd_matrix.c b/ext/gd/libgd/gd_matrix.c
index 0a67f1dc26..d2dfbd2d16 100644
--- a/ext/gd/libgd/gd_matrix.c
+++ b/ext/gd/libgd/gd_matrix.c
@@ -55,7 +55,7 @@ int gdAffineApplyToPointF (gdPointFPtr dst, const gdPointFPtr src,
  *  <gdAffineIdentity>
  *
  * Returns:
- *  GD_TRUE if the affine is rectilinear or GD_FALSE
+ *  GD_TRUE on success or GD_FALSE on failure
  */
 int gdAffineInvert (double dst[6], const double src[6])
 {
diff --git a/ext/gd/tests/bug79067.phpt b/ext/gd/tests/bug79067.phpt
new file mode 100644
index 0000000000..1442b7fb56
--- /dev/null
+++ b/ext/gd/tests/bug79067.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #79067 (gdTransformAffineCopy() may use unitialized values)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$matrix = [1, 1, 1, 1, 1, 1];
+$src = imagecreatetruecolor(8, 8);
+var_dump(imageaffine($src, $matrix));
+?>
+--EXPECT--
+bool(false)