From: Mattias Bengtsson <mattias@php.net>
Date: Thu, 9 Aug 2007 14:21:38 +0000 (+0000)
Subject: - libgd #101, imagecreatefromgd can crash if gdImageCreate fails
X-Git-Tag: php-5.2.4RC2~54
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=31264450737f394de75c08ace6c14eb713daf245;p=php

- libgd #101, imagecreatefromgd can crash if gdImageCreate fails
---

diff --git a/ext/gd/libgd/gd_gd.c b/ext/gd/libgd/gd_gd.c
index 2d259cdd51..55587d43e8 100644
--- a/ext/gd/libgd/gd_gd.c
+++ b/ext/gd/libgd/gd_gd.c
@@ -122,6 +122,9 @@ static gdImagePtr _gdCreateFromFile (gdIOCtx * in, int *sx, int *sy)
 	} else {
 		im = gdImageCreate(*sx, *sy);
 	}
+	if(!im) {
+		goto fail1;
+	}
 	if (!_gdGetColors(in, im, gd2xFlag)) {
 		goto fail2;
 	}
diff --git a/ext/gd/tests/libgd00101.gd b/ext/gd/tests/libgd00101.gd
new file mode 100644
index 0000000000..5516ce09c0
--- /dev/null
+++ b/ext/gd/tests/libgd00101.gd
@@ -0,0 +1 @@
+ÿýÿý
\ No newline at end of file
diff --git a/ext/gd/tests/libgd00101.phpt b/ext/gd/tests/libgd00101.phpt
new file mode 100644
index 0000000000..1c6623d2e0
--- /dev/null
+++ b/ext/gd/tests/libgd00101.phpt
@@ -0,0 +1,18 @@
+--TEST--
+libgd #101 (imagecreatefromgd can crash if gdImageCreate fails)
+--SKIPIF--
+<?php
+	if (!extension_loaded('gd')) die("skip gd extension not available\n");
+	if (!GD_BUNDLED) die("skip requires bundled GD library\n");
+?>
+--FILE--
+<?php
+$im = imagecreatefromgd(dirname(__FILE__) . '/libgd00101.gd');
+var_dump($im);
+?>
+--EXPECTF--
+Warning: imagecreatefromgd(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+ in %slibgd00101.php on line %d
+
+Warning: imagecreatefromgd(): '%slibgd00101.gd' is not a valid GD file in %slibgd00101.php on line %d
+bool(false)