From: Christoph M. Becker Date: Mon, 10 Oct 2016 09:40:16 +0000 (+0200) Subject: Fix #73279: Integer overflow in gdImageScaleBilinearPalette() X-Git-Tag: php-5.6.28RC1~12 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=fc989fc6e773ccfb4d9ade0f466a3c5c2820bfdc;p=php Fix #73279: Integer overflow in gdImageScaleBilinearPalette() The color components are supposed to be in range 0..255, so we must not cast them to `signed char`, what can be the default for `char`. Port of . --- diff --git a/NEWS b/NEWS index a41168d066..9fc658ec7b 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,7 @@ PHP NEWS . Fixed bug #73213 (Integer overflow in imageline() with antialiasing). (cmb) . Fixed bug #73272 (imagescale() is not affected by, but affects imagesetinterpolation()). (cmb) + . Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()). (cmb) - Standard: . Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb) diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index 4c11213a8e..1c151b5509 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -1331,10 +1331,10 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int f_a4 = gd_itofx(gdTrueColorGetAlpha(pixel4)); { - const char red = (char) gd_fxtoi(gd_mulfx(f_w1, f_r1) + gd_mulfx(f_w2, f_r2) + gd_mulfx(f_w3, f_r3) + gd_mulfx(f_w4, f_r4)); - const char green = (char) gd_fxtoi(gd_mulfx(f_w1, f_g1) + gd_mulfx(f_w2, f_g2) + gd_mulfx(f_w3, f_g3) + gd_mulfx(f_w4, f_g4)); - const char blue = (char) gd_fxtoi(gd_mulfx(f_w1, f_b1) + gd_mulfx(f_w2, f_b2) + gd_mulfx(f_w3, f_b3) + gd_mulfx(f_w4, f_b4)); - const char alpha = (char) gd_fxtoi(gd_mulfx(f_w1, f_a1) + gd_mulfx(f_w2, f_a2) + gd_mulfx(f_w3, f_a3) + gd_mulfx(f_w4, f_a4)); + const unsigned char red = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_r1) + gd_mulfx(f_w2, f_r2) + gd_mulfx(f_w3, f_r3) + gd_mulfx(f_w4, f_r4)); + const unsigned char green = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_g1) + gd_mulfx(f_w2, f_g2) + gd_mulfx(f_w3, f_g3) + gd_mulfx(f_w4, f_g4)); + const unsigned char blue = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_b1) + gd_mulfx(f_w2, f_b2) + gd_mulfx(f_w3, f_b3) + gd_mulfx(f_w4, f_b4)); + const unsigned char alpha = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_a1) + gd_mulfx(f_w2, f_a2) + gd_mulfx(f_w3, f_a3) + gd_mulfx(f_w4, f_a4)); new_img->tpixels[dst_offset_v][dst_offset_h] = gdTrueColorAlpha(red, green, blue, alpha); } diff --git a/ext/gd/tests/bug73279.phpt b/ext/gd/tests/bug73279.phpt new file mode 100644 index 0000000000..e6c6709039 --- /dev/null +++ b/ext/gd/tests/bug73279.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #73279 (Integer overflow in gdImageScaleBilinearPalette()) +--SKIPIF-- += 2.2.4'); +} +?> +--FILE-- + +===DONE=== +--EXPECT-- +color: ffffff +===DONE=== diff --git a/ext/gd/tests/bug73279_old.phpt b/ext/gd/tests/bug73279_old.phpt new file mode 100644 index 0000000000..0cbbec34f2 --- /dev/null +++ b/ext/gd/tests/bug73279_old.phpt @@ -0,0 +1,22 @@ +--TEST-- +Bug #73279 (Integer overflow in gdImageScaleBilinearPalette()) +--SKIPIF-- +=')) { + die('skip only for external libgd < 2.2.4'); +} +?> +--FILE-- + +===DONE=== +--XFAIL-- +Bug #330 has not yet been fixed +--EXPECT-- +color: ffffff +===DONE===