From: Christoph M. Becker Date: Mon, 6 Jan 2020 12:24:07 +0000 (+0100) Subject: Fix hypothetical segfault in gdTransformAffineCopy() X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=be0b94c220c666752806235a82b364fc023b06b7;p=php Fix hypothetical segfault in gdTransformAffineCopy() This has been reported to upstream[1], but since ext/gd never calls `gdTransformAffineCopy()` for a palette image, it is not a bug for PHP. Therefore we apply the fix to master only. [1] --- diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index 698e407fbf..6ea81ea61c 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -2302,7 +2302,6 @@ int gdTransformAffineCopy(gdImagePtr dst, int backup_clipx1, backup_clipy1, backup_clipx2, backup_clipy2; register int x, y, src_offset_x, src_offset_y; double inv[6]; - int *dst_p; gdPointF pt, src_pt; gdRect bbox; int end_x, end_y; @@ -2365,11 +2364,18 @@ int gdTransformAffineCopy(gdImagePtr dst, } } else { for (y = 0; y <= end_y; y++) { + unsigned char *dst_p = NULL; + int *tdst_p = NULL; + pt.y = y + 0.5 + bbox.y; if ((dst_y + y) < 0 || ((dst_y + y) > gdImageSY(dst) -1)) { continue; } - dst_p = dst->tpixels[dst_y + y] + dst_x; + if (dst->trueColor) { + tdst_p = dst->tpixels[dst_y + y] + dst_x; + } else { + dst_p = dst->pixels[dst_y + y] + dst_x; + } for (x = 0; x <= end_x; x++) { pt.x = x + 0.5 + bbox.x; @@ -2378,7 +2384,11 @@ int gdTransformAffineCopy(gdImagePtr dst, if ((dst_x + x) < 0 || (dst_x + x) > (gdImageSX(dst) - 1)) { break; } - *(dst_p++) = getPixelInterpolated(src, src_offset_x + src_pt.x, src_offset_y + src_pt.y, -1); + if (dst->trueColor) { + *(tdst_p++) = getPixelInterpolated(src, src_offset_x + src_pt.x, src_offset_y + src_pt.y, -1); + } else { + *(dst_p++) = getPixelInterpolated(src, src_offset_x + src_pt.x, src_offset_y + src_pt.y, -1); + } } } }