Patch for 72697

72697.diff

commit b6f13a5ef9d6280cf984826a5de012a32c396cd4
Author: Stanislav Malyshev <stas@php.net>
Date:   Wed Aug 10 00:00:14 2016 -0700

    Fix bug#72697 - select_colors write out-of-bounds

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 533dc50..cdfbaa2 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1651,11 +1651,11 @@ PHP_FUNCTION(imagetruecolortopalette)
 
 	ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd);
 
-	if (ncolors <= 0) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero");
+	if (ncolors <= 0 || ncolors > INT_MAX) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero and no more than %d", INT_MAX);
 		RETURN_FALSE;
 	}
-	gdImageTrueColorToPalette(im, dither, ncolors);
+	gdImageTrueColorToPalette(im, dither, (int)ncolors);
 
 	RETURN_TRUE;
 }
diff --git a/ext/gd/tests/bug72697.phpt b/ext/gd/tests/bug72697.phpt
new file mode 100644
index 0000000..6110385
--- /dev/null
+++ b/ext/gd/tests/bug72697.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #72697: select_colors write out-of-bounds
+--SKIPIF--
+<?php 
+if (!function_exists("imagecreatetruecolor")) die("skip");
+if (PHP_INT_MAX !== 9223372036854775807) die("skip for 64-bit long systems only");
+?>
+--FILE--
+<?php
+
+$img=imagecreatetruecolor(10, 10);
+imagetruecolortopalette($img, false, PHP_INT_MAX / 8);
+?>
+DONE
+--EXPECTF--
+Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than 2147483647 in %sbug72697.php on line %d
+DONE
\ No newline at end of file