From cadb49463cde70ef260504a472af3e38abd48357 Mon Sep 17 00:00:00 2001
From: Takeshi Abe <tabe@php.net>
Date: Thu, 14 Jan 2010 11:11:56 +0000
Subject: [PATCH] imagepolygon() and imagefilledpolygon() does not allow
 negative number of points causing invalid allocation

---
 ext/gd/gd.c                                   |  5 ++++-
 ext/gd/libgd/gd.c                             |  4 ++--
 ext/gd/tests/imagefilledpolygon_negative.phpt | 15 +++++++++++++++
 ext/gd/tests/imagepolygon_negative.phpt       | 15 +++++++++++++++
 4 files changed, 36 insertions(+), 3 deletions(-)
 create mode 100644 ext/gd/tests/imagefilledpolygon_negative.phpt
 create mode 100644 ext/gd/tests/imagepolygon_negative.phpt

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index c445090b0c..cdec117ea6 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -3170,7 +3170,10 @@ static void php_imagepolygon(INTERNAL_FUNCTION_PARAMETERS, int filled)
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "You must have at least 3 points in your array");
 		RETURN_FALSE;
 	}
-
+	if (npoints <= 0) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "You must give a positive number of points");
+		RETURN_FALSE;
+	}
 	if (nelem < npoints * 2) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Trying to use %d points in array with only %d points", npoints, nelem/2);
 		RETURN_FALSE;
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index d76cf3fb93..4fa4be374a 100644
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -2563,7 +2563,7 @@ void gdImagePolygon (gdImagePtr im, gdPointPtr p, int n, int c)
 	typedef void (*image_line)(gdImagePtr im, int x1, int y1, int x2, int y2, int color);
 	image_line draw_line;
 
-	if (!n) {
+	if (n <= 0) {
 		return;
 	}
 
@@ -2616,7 +2616,7 @@ void gdImageFilledPolygon (gdImagePtr im, gdPointPtr p, int n, int c)
 	int ints;
 	int fill_color;
 
-	if (!n) {
+	if (n <= 0) {
 		return;
 	}
 
diff --git a/ext/gd/tests/imagefilledpolygon_negative.phpt b/ext/gd/tests/imagefilledpolygon_negative.phpt
new file mode 100644
index 0000000000..ced853067b
--- /dev/null
+++ b/ext/gd/tests/imagefilledpolygon_negative.phpt
@@ -0,0 +1,15 @@
+--TEST--
+imagefilledpolygon() with a negative num of points
+--SKIPIF--
+<?php 
+	if (!function_exists('imagefilledpolygon')) die('skip imagefilledpolygon() not available'); 
+?>
+--FILE--
+<?php
+$im = imagecreate(100, 100);
+$black = imagecolorallocate($im, 0, 0, 0);
+if (imagefilledpolygon($im, array(0, 0, 0, 0, 0, 0), -1, $black)) echo "should be false";
+imagedestroy($im);
+?>
+--EXPECTF--
+Warning: imagefilledpolygon(): You must give a positive number of points in %s on line %d
diff --git a/ext/gd/tests/imagepolygon_negative.phpt b/ext/gd/tests/imagepolygon_negative.phpt
new file mode 100644
index 0000000000..bb9010c92f
--- /dev/null
+++ b/ext/gd/tests/imagepolygon_negative.phpt
@@ -0,0 +1,15 @@
+--TEST--
+imagepolygon() with a negative num of points
+--SKIPIF--
+<?php 
+	if (!function_exists('imagepolygon')) die('skip imagepolygon() not available'); 
+?>
+--FILE--
+<?php
+$im = imagecreate(100, 100);
+$black = imagecolorallocate($im, 0, 0, 0);
+if (imagepolygon($im, array(0, 0, 0, 0, 0, 0), -1, $black)) echo "should be false";
+imagedestroy($im);
+?>
+--EXPECTF--
+Warning: imagepolygon(): You must give a positive number of points in %s on line %d
-- 
2.50.1