From: Christoph M. Becker Date: Sat, 2 Nov 2019 12:53:09 +0000 (+0100) Subject: Fix #55005: imagepolygon num_points requirement X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7d96dcac2c6ce177a88ac9f15849cb499bf446bb;p=php Fix #55005: imagepolygon num_points requirement We actually have to check `$num_points` instead of `2*count($points)`, because the latter may be greater than the former, but not all elements of `$points` are guaranteed to be used. This allowed to pass arrays with excess elements to draw polygons with less than three vertices. While the current implementation of `gdImagePolygon()` and friends would allow us to draw monogons and digons, we don't allow that anymore, because the respective drawing primitives work slightly different (e.g. drawing lines support anti-aliasing, but drawing general polygons does not). To minimize the BC break, we do not fix this longstanding issue for PHP 7, but target PHP 8 only. --- diff --git a/NEWS b/NEWS index 102295dd7d..3b85ad8773 100644 --- a/NEWS +++ b/NEWS @@ -17,6 +17,7 @@ PHP NEWS that allow global flag to configure query() or evaluate() calls. - GD: + . Fixed bug #55005 (imagepolygon num_points requirement). (cmb) . Replaced gd resources with objects. (Mark Randall) . Removed deprecated image2wbmp(). (cmb) . Removed deprecated png2wbmp() and jpeg2wbmp(). (cmb) diff --git a/ext/gd/gd.c b/ext/gd/gd.c index 989a78cb0b..cc74727420 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -2745,13 +2745,8 @@ static void php_imagepolygon(INTERNAL_FUNCTION_PARAMETERS, int filled) col = COL; nelem = zend_hash_num_elements(Z_ARRVAL_P(POINTS)); - if (nelem < 6) { - zend_value_error("You must have at least 3 points in your array"); - return; - } - - if (npoints <= 0) { - zend_value_error("You must give a positive number of points"); + if (npoints < 3) { + zend_value_error("Polygon must have at least 3 points"); return; } diff --git a/ext/gd/tests/bug55005.phpt b/ext/gd/tests/bug55005.phpt new file mode 100644 index 0000000000..a48d92441c --- /dev/null +++ b/ext/gd/tests/bug55005.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug #55005 (imagepolygon num_points requirement) +--SKIPIF-- + +--FILE-- + imagefilledpolygon($g, array(100,10, 100,100, 180,100), 2, $fgnd), + fn () => imagepolygon($g, array(200,10, 200,100, 280,100), 2, $fgnd) +); +?> +--EXPECT-- +!! [ValueError] Polygon must have at least 3 points +!! [ValueError] Polygon must have at least 3 points diff --git a/ext/gd/tests/imagefilledpolygon_negative.phpt b/ext/gd/tests/imagefilledpolygon_negative.phpt deleted file mode 100644 index 165fa1c13b..0000000000 --- a/ext/gd/tests/imagefilledpolygon_negative.phpt +++ /dev/null @@ -1,21 +0,0 @@ ---TEST-- -imagefilledpolygon() with a negative num of points ---SKIPIF-- - ---FILE-- - imagefilledpolygon($im, array(0, 0, 0, 0, 0, 0), -1, $black) -); - -imagedestroy($im); -?> ---EXPECT-- -!! [ValueError] You must give a positive number of points diff --git a/ext/gd/tests/imagepolygon_negative.phpt b/ext/gd/tests/imagepolygon_negative.phpt deleted file mode 100644 index 96b2e7591e..0000000000 --- a/ext/gd/tests/imagepolygon_negative.phpt +++ /dev/null @@ -1,21 +0,0 @@ ---TEST-- -imagepolygon() with a negative num of points ---SKIPIF-- - ---FILE-- - imagepolygon($im, array(0, 0, 0, 0, 0, 0), -1, $black) -); - -imagedestroy($im); -?> ---EXPECT-- -!! [ValueError] You must give a positive number of points