From e394a130f65d31fec29e3b93a651d5d308909188 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pajoye@php.net>
Date: Mon, 12 Oct 2009 10:01:37 +0000
Subject: [PATCH] - check max colors while loading gd2 palette image (patch by
 Tomas Hoger)

---
 ext/gd/libgd/gd_gd.c          |   3 +++
 ext/gd/tests/crafted.gd2      | Bin 0 -> 1039 bytes
 ext/gd/tests/crafted_gd2.phpt |  16 ++++++++++++++++
 3 files changed, 19 insertions(+)
 create mode 100644 ext/gd/tests/crafted.gd2
 create mode 100644 ext/gd/tests/crafted_gd2.phpt

diff --git a/ext/gd/libgd/gd_gd.c b/ext/gd/libgd/gd_gd.c
index 55587d43e8..81a957d414 100644
--- a/ext/gd/libgd/gd_gd.c
+++ b/ext/gd/libgd/gd_gd.c
@@ -39,6 +39,9 @@ int _gdGetColors (gdIOCtx * in, gdImagePtr im, int gd2xFlag)
 			if (!gdGetWord(&im->colorsTotal, in)) {
 				goto fail1;
 			}
+			if (im->colorsTotal > gdMaxColors) {
+				goto fail1;
+			}
 		}
 		/* Int to accommodate truecolor single-color transparency */
 		if (!gdGetInt(&im->transparent, in)) {
diff --git a/ext/gd/tests/crafted.gd2 b/ext/gd/tests/crafted.gd2
new file mode 100644
index 0000000000000000000000000000000000000000..45c944cc29fa0925e7f05a9f4f4d34996cb9d724
GIT binary patch
literal 1039
bcmezWpMjBqiQ(Q_hEXsY0;3@?!b1Q6U5^8e

literal 0
HcmV?d00001

diff --git a/ext/gd/tests/crafted_gd2.phpt b/ext/gd/tests/crafted_gd2.phpt
new file mode 100644
index 0000000000..7bcbc4e68b
--- /dev/null
+++ b/ext/gd/tests/crafted_gd2.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Test max colors for a gd image.
+--SKIPIF--
+<?php
+	if (!extension_loaded('gd')) {
+		die("skip gd extension not available\n");
+	}
+?>
+--FILE--
+<?php
+imagecreatefromgd(dirname(__FILE__) . '/crafted.gd2');
+?>
+--EXPECTF--
+
+Warning: imagecreatefromgd(): '%scrafted.gd2' is not a valid GD file in %s on line %d
+
-- 
2.40.0