From: Pierre Joye <pajoye@php.net>
Date: Sun, 10 Dec 2006 01:28:01 +0000 (+0000)
Subject: - #39780, PNG image with CRC/data error raises fatal error
X-Git-Tag: RELEASE_1_0_0RC1~738
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ad5d1383de3b4ebc5aecfeabb6f42c597cc53166;p=php

- #39780, PNG image with CRC/data error raises fatal error
---

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 8009969027..ac73d3e89a 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -2016,6 +2016,7 @@ gdImagePtr _php_image_create_from_string(zval **data, char *tn, gdImagePtr (*ioc
 	im = (*ioctx_func_p)(io_ctx);
 	if (!im) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Passed data is not in '%s' format", tn);
+		io_ctx->gd_free(io_ctx);
 		return NULL;
 	}
 
diff --git a/ext/gd/libgd/gd_png.c b/ext/gd/libgd/gd_png.c
index d499182064..0f6436f120 100644
--- a/ext/gd/libgd/gd_png.c
+++ b/ext/gd/libgd/gd_png.c
@@ -58,7 +58,7 @@ static void gdPngErrorHandler (png_structp png_ptr, png_const_charp msg)
 	 * been defined.
 	 */
 
-	php_gd_error_ex(E_ERROR, "gd-png:  fatal libpng error: %s", msg);
+	php_gd_error_ex(E_WARNING, "gd-png:  fatal libpng error: %s", msg);
 
 	jmpbuf_ptr = png_get_error_ptr (png_ptr);
 	if (jmpbuf_ptr == NULL) { /* we are completely hosed now */
@@ -128,7 +128,6 @@ gdImagePtr gdImageCreateFromPngCtx (gdIOCtx * infile)
 	/* GRR: isn't sizeof(infile) equal to the size of the pointer? */
 	memset (sig, 0, sizeof(sig));
 
-
 	  /* first do a quick check that the file really is a PNG image; could
 	   * have used slightly more general png_sig_cmp() function instead
 	   */
@@ -201,6 +200,23 @@ gdImagePtr gdImageCreateFromPngCtx (gdIOCtx * infile)
 		png_set_packing (png_ptr); /* expand to 1 byte per pixel */
 	}
 
+	/* setjmp() must be called in every non-callback function that calls a
+	 * PNG-reading libpng function
+	 */
+#ifndef PNG_SETJMP_NOT_SUPPORTED
+	if (setjmp(gdPngJmpbufStruct.jmpbuf)) {
+		php_gd_error("gd-png error: setjmp returns error condition");
+		png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
+		gdFree(image_data);
+		gdFree(row_pointers);
+		if (im) {
+			gdImageDestroy(im);
+		}
+		return NULL;
+	}
+#endif
+
+
 	switch (color_type) {
 		case PNG_COLOR_TYPE_PALETTE:
 			png_get_PLTE(png_ptr, info_ptr, &palette, &num_palette);
diff --git a/ext/gd/tests/bug39780.phpt b/ext/gd/tests/bug39780.phpt
new file mode 100644
index 0000000000..3a23aa9df9
--- /dev/null
+++ b/ext/gd/tests/bug39780.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #39780 (PNG image with CRC/data error raises a fatal error)
+--SKIPIF--
+<?php 
+	if (!extension_loaded('gd')) die("skip gd extension not available\n"); 
+	if (!GD_BUNDLED) die('skip external GD libraries always fail');
+?>
+--FILE--
+<?php
+
+$im = imagecreatefrompng(dirname(__FILE__) . '/bug39780.png');
+var_dump($im);
+?>
+--EXPECTF--
+
+Warning: imagecreatefrompng(): gd-png:  fatal libpng error: IDAT: CRC error in %s on line %d
+
+Warning: imagecreatefrompng(): gd-png error: setjmp returns error condition in %s on line %d
+
+Warning: imagecreatefrompng(): '%s' is not a valid PNG file in %s on line %d
+bool(false)
diff --git a/ext/gd/tests/bug39780.png b/ext/gd/tests/bug39780.png
new file mode 100644
index 0000000000..73a7d6a3e7
Binary files /dev/null and b/ext/gd/tests/bug39780.png differ