-
-
Save anonymous/a87b2c24fc00f85d4e08b8b77c6c3b0f to your computer and use it in GitHub Desktop.
Patch for 72482
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 64d1b24ce38fbfb4d3bca8f9a6b6cf05d7167fdd | |
Author: Christoph M. Becker <cmbecker69@gmx.de> | |
Date: Sun Oct 30 14:17:21 2016 -0700 | |
Fix #72482: Ilegal write/read access caused by gdImageAALine overflow | |
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c | |
index 033d4fa..058f1c9 100644 | |
--- a/ext/gd/libgd/gd.c | |
+++ b/ext/gd/libgd/gd.c | |
@@ -1117,7 +1117,7 @@ void gdImageLine (gdImagePtr im, int x1, int y1, int x2, int y2, int color) | |
} | |
/* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */ | |
- if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im))) { | |
+ if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) { | |
return; | |
} | |
@@ -1301,55 +1301,10 @@ void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col) | |
long x, y, inc, frac; | |
long dx, dy,tmp; | |
- if (y1 < 0 && y2 < 0) { | |
- return; | |
- } | |
- if (y1 < 0) { | |
- x1 += (y1 * (x1 - x2)) / (y2 - y1); | |
- y1 = 0; | |
- } | |
- if (y2 < 0) { | |
- x2 += (y2 * (x1 - x2)) / (y2 - y1); | |
- y2 = 0; | |
- } | |
- | |
- /* bottom edge */ | |
- if (y1 >= im->sy && y2 >= im->sy) { | |
- return; | |
- } | |
- if (y1 >= im->sy) { | |
- x1 -= ((im->sy - y1) * (x1 - x2)) / (y2 - y1); | |
- y1 = im->sy - 1; | |
- } | |
- if (y2 >= im->sy) { | |
- x2 -= ((im->sy - y2) * (x1 - x2)) / (y2 - y1); | |
- y2 = im->sy - 1; | |
- } | |
- | |
- /* left edge */ | |
- if (x1 < 0 && x2 < 0) { | |
- return; | |
- } | |
- if (x1 < 0) { | |
- y1 += (x1 * (y1 - y2)) / (x2 - x1); | |
- x1 = 0; | |
- } | |
- if (x2 < 0) { | |
- y2 += (x2 * (y1 - y2)) / (x2 - x1); | |
- x2 = 0; | |
- } | |
- /* right edge */ | |
- if (x1 >= im->sx && x2 >= im->sx) { | |
+ /* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */ | |
+ if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) { | |
return; | |
} | |
- if (x1 >= im->sx) { | |
- y1 -= ((im->sx - x1) * (y1 - y2)) / (x2 - x1); | |
- x1 = im->sx - 1; | |
- } | |
- if (x2 >= im->sx) { | |
- y2 -= ((im->sx - x2) * (y1 - y2)) / (x2 - x1); | |
- x2 = im->sx - 1; | |
- } | |
dx = x2 - x1; | |
dy = y2 - y1; | |
diff --git a/ext/gd/tests/bug72482.phpt b/ext/gd/tests/bug72482.phpt | |
new file mode 100644 | |
index 0000000..ac92077 | |
--- /dev/null | |
+++ b/ext/gd/tests/bug72482.phpt | |
@@ -0,0 +1,19 @@ | |
+--TEST-- | |
+Bug #72482 (Ilegal write/read access caused by gdImageAALine overflow) | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded('gd')) die('skip gd extension not available'); | |
+?> | |
+--FILE-- | |
+<?php | |
+$img = imagecreatetruecolor(13, 1007); | |
+imageantialias($img, true); | |
+imageline($img, 0, 0, 1073745919, 1073745919, 4096); | |
+ | |
+$img = imagecreatetruecolor(100, 100); | |
+imageantialias($img, true); | |
+imageline($img, 1094795585, 0, 2147483647, 255, 0xff); | |
+?> | |
+===DONE=== | |
+--EXPECT-- | |
+===DONE=== | |
diff --git a/ext/gd/tests/bug72482_2.phpt b/ext/gd/tests/bug72482_2.phpt | |
new file mode 100644 | |
index 0000000..9836884 | |
--- /dev/null | |
+++ b/ext/gd/tests/bug72482_2.phpt | |
@@ -0,0 +1,21 @@ | |
+--TEST-- | |
+Bug 72482 (Ilegal write/read access caused by gdImageAALine overflow) | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded('gd')) die('skip gd extension not available'); | |
+?> | |
+--FILE-- | |
+<?php | |
+require_once __DIR__ . DIRECTORY_SEPARATOR . 'func.inc'; | |
+ | |
+$im = imagecreatetruecolor(10, 10); | |
+imagefilledrectangle($im, 0, 0, 9, 9, imagecolorallocate($im, 255, 255, 255)); | |
+imageantialias($im, true); | |
+imageline($im, 0, 0, 10, 10, imagecolorallocate($im, 0, 0, 0)); | |
+ | |
+test_image_equals_file(__DIR__ . DIRECTORY_SEPARATOR . 'bug72482_2.png', $im); | |
+?> | |
+===DONE=== | |
+--EXPECT-- | |
+The images are equal. | |
+===DONE=== | |
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c | |
index e7cbd1f..22ad05a 100644 | |
--- a/ext/spl/spl_array.c | |
+++ b/ext/spl/spl_array.c | |
@@ -1812,7 +1812,6 @@ SPL_METHOD(Array, unserialize) | |
ALLOC_INIT_ZVAL(intern->array); | |
if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC) | |
|| (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) { | |
- // zval_ptr_dtor(&intern->array); | |
goto outexcept; | |
} | |
var_push_dtor(&var_hash, &intern->array); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment