From: Pierre Joye <pajoye@php.net>
Date: Mon, 12 Oct 2009 10:01:37 +0000 (+0000)
Subject: - check max colors while loading gd2 palette image (patch by Tomas Hoger)
X-Git-Tag: php-5.3.1RC2~26
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=419ad36db8cbe1d7c4c437128ea377bcf7100e51;p=php

- check max colors while loading gd2 palette image (patch by Tomas Hoger)
---

diff --git a/ext/gd/libgd/gd_gd.c b/ext/gd/libgd/gd_gd.c
index 55587d43e8..81a957d414 100644
--- a/ext/gd/libgd/gd_gd.c
+++ b/ext/gd/libgd/gd_gd.c
@@ -39,6 +39,9 @@ int _gdGetColors (gdIOCtx * in, gdImagePtr im, int gd2xFlag)
 			if (!gdGetWord(&im->colorsTotal, in)) {
 				goto fail1;
 			}
+			if (im->colorsTotal > gdMaxColors) {
+				goto fail1;
+			}
 		}
 		/* Int to accommodate truecolor single-color transparency */
 		if (!gdGetInt(&im->transparent, in)) {
diff --git a/ext/gd/tests/crafted.gd2 b/ext/gd/tests/crafted.gd2
new file mode 100644
index 0000000000..45c944cc29
Binary files /dev/null and b/ext/gd/tests/crafted.gd2 differ
diff --git a/ext/gd/tests/crafted_gd2.phpt b/ext/gd/tests/crafted_gd2.phpt
new file mode 100644
index 0000000000..7bcbc4e68b
--- /dev/null
+++ b/ext/gd/tests/crafted_gd2.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Test max colors for a gd image.
+--SKIPIF--
+<?php
+	if (!extension_loaded('gd')) {
+		die("skip gd extension not available\n");
+	}
+?>
+--FILE--
+<?php
+imagecreatefromgd(dirname(__FILE__) . '/crafted.gd2');
+?>
+--EXPECTF--
+
+Warning: imagecreatefromgd(): '%scrafted.gd2' is not a valid GD file in %s on line %d
+