From 29ab16ee674d45da2ae9c3cbb929e45c69d93bb4 Mon Sep 17 00:00:00 2001
From: Scott MacVicar <scottmac@php.net>
Date: Wed, 10 Dec 2008 13:30:12 +0000
Subject: [PATCH] Fix segfault and potential security issue in imagerotate().

---
 ext/gd/libgd/gd.c                      |  2 +-
 ext/gd/tests/imagerotate_overflow.phpt | 32 ++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 ext/gd/tests/imagerotate_overflow.phpt

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index ebfae80dcc..1f65e4469f 100644
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -3129,7 +3129,7 @@ gdImagePtr gdImageRotate (gdImagePtr src, double dAngle, int clrBack, int ignore
 		return NULL;
 	}
 
-	if (!gdImageTrueColor(src) && clrBack>=gdImageColorsTotal(src)) {
+	if (!gdImageTrueColor(src) && (clrBack < 0 || clrBack>=gdImageColorsTotal(src))) {
 		return NULL;
 	}
 
diff --git a/ext/gd/tests/imagerotate_overflow.phpt b/ext/gd/tests/imagerotate_overflow.phpt
new file mode 100644
index 0000000000..ade61d8f80
--- /dev/null
+++ b/ext/gd/tests/imagerotate_overflow.phpt
@@ -0,0 +1,32 @@
+--TEST--
+imagerotate() overflow with negative numbers
+--SKIPIF--
+<?php
+	if (!extension_loaded('gd')) {
+		die("skip gd extension not available.");
+	}
+
+	if (!function_exists('imagerotate')) {
+		die("skip imagerotate() not available.");
+	}
+?>
+--FILE--
+<?php
+
+$im = imagecreate(10, 10);
+
+$tmp = imagerotate ($im, 5, -9999999);
+
+var_dump($tmp);
+
+if ($tmp) {
+        imagedestroy($tmp);
+}
+
+if ($im) {
+        imagedestroy($im);
+}
+
+?>
+--EXPECT--
+bool(false)
-- 
2.50.1