/72482.diff Secret

## 72482.diff
commit 64d1b24ce38fbfb4d3bca8f9a6b6cf05d7167fdd
Author: Christoph M. Becker <cmbecker69@gmx.de>
Date:   Sun Oct 30 14:17:21 2016 -0700

    Fix #72482: Ilegal write/read access caused by gdImageAALine overflow

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index 033d4fa..058f1c9 100644
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -1117,7 +1117,7 @@ void gdImageLine (gdImagePtr im, int x1, int y1, int x2, int y2, int color)
 	}

 	/* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */
-	if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im))) {
+	if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) {
 		return;
 	}

@@ -1301,55 +1301,10 @@ void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col)
 	long x, y, inc, frac;
 	long dx, dy,tmp;

-	if (y1 < 0 && y2 < 0) {
-		return;
-	}
-	if (y1 < 0) {
-		x1 += (y1 * (x1 - x2)) / (y2 - y1);
-		y1 = 0;
-	}
-	if (y2 < 0) {
-		x2 += (y2 * (x1 - x2)) / (y2 - y1);
-		y2 = 0;
-	}
-
-	/* bottom edge */
-	if (y1 >= im->sy && y2 >= im->sy) {
-		return;
-	}
-	if (y1 >= im->sy) {
-		x1 -= ((im->sy - y1) * (x1 - x2)) / (y2 - y1);
-		y1 = im->sy - 1;
-	}
-	if (y2 >= im->sy) {
-		x2 -= ((im->sy - y2) * (x1 - x2)) / (y2 - y1);
-		y2 = im->sy - 1;
-	}
-
-	/* left edge */
-	if (x1 < 0 && x2 < 0) {
-		return;
-	}
-	if (x1 < 0) {
-		y1 += (x1 * (y1 - y2)) / (x2 - x1);
-		x1 = 0;
-	}
-	if (x2 < 0) {
-		y2 += (x2 * (y1 - y2)) / (x2 - x1);
-		x2 = 0;
-	}
-	/* right edge */
-	if (x1 >= im->sx && x2 >= im->sx) {
+	/* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */
+	if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) {
 		return;
 	}
-	if (x1 >= im->sx) {
-		y1 -= ((im->sx - x1) * (y1 - y2)) / (x2 - x1);
-		x1 = im->sx - 1;
-	}
-	if (x2 >= im->sx) {
-		y2 -= ((im->sx - x2) * (y1 - y2)) / (x2 - x1);
-		x2 = im->sx - 1;
-	}

 	dx = x2 - x1;
 	dy = y2 - y1;
diff --git a/ext/gd/tests/bug72482.phpt b/ext/gd/tests/bug72482.phpt
new file mode 100644
index 0000000..ac92077
--- /dev/null
+++ b/ext/gd/tests/bug72482.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #72482 (Ilegal write/read access caused by gdImageAALine overflow)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$img = imagecreatetruecolor(13, 1007);
+imageantialias($img, true);
+imageline($img, 0, 0, 1073745919, 1073745919, 4096);
+
+$img = imagecreatetruecolor(100, 100);
+imageantialias($img, true);
+imageline($img, 1094795585, 0, 2147483647, 255, 0xff);
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/ext/gd/tests/bug72482_2.phpt b/ext/gd/tests/bug72482_2.phpt
new file mode 100644
index 0000000..9836884
--- /dev/null
+++ b/ext/gd/tests/bug72482_2.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug 72482 (Ilegal write/read access caused by gdImageAALine overflow)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+require_once __DIR__ . DIRECTORY_SEPARATOR . 'func.inc';
+
+$im = imagecreatetruecolor(10, 10);
+imagefilledrectangle($im, 0, 0, 9, 9, imagecolorallocate($im, 255, 255, 255));
+imageantialias($im, true);
+imageline($im, 0, 0, 10, 10, imagecolorallocate($im, 0, 0, 0));
+
+test_image_equals_file(__DIR__ . DIRECTORY_SEPARATOR . 'bug72482_2.png', $im);
+?>
+===DONE===
+--EXPECT--
+The images are equal.
+===DONE===
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index e7cbd1f..22ad05a 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1812,7 +1812,6 @@ SPL_METHOD(Array, unserialize)
 		ALLOC_INIT_ZVAL(intern->array);
 		if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)
 				|| (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) {
-			// zval_ptr_dtor(&intern->array);
 			goto outexcept;
 		}
 		var_push_dtor(&var_hash, &intern->array);
	commit 64d1b24ce38fbfb4d3bca8f9a6b6cf05d7167fdd
	Author: Christoph M. Becker <cmbecker69@gmx.de>
	Date: Sun Oct 30 14:17:21 2016 -0700

	Fix #72482: Ilegal write/read access caused by gdImageAALine overflow

	diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
	index 033d4fa..058f1c9 100644
	--- a/ext/gd/libgd/gd.c
	+++ b/ext/gd/libgd/gd.c
	@@ -1117,7 +1117,7 @@ void gdImageLine (gdImagePtr im, int x1, int y1, int x2, int y2, int color)
	}

	/* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */
	- if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)) \|\| !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im))) {
	+ if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) \|\| !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) {
	return;
	}

	@@ -1301,55 +1301,10 @@ void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col)
	long x, y, inc, frac;
	long dx, dy,tmp;

	- if (y1 < 0 && y2 < 0) {
	- return;
	- }
	- if (y1 < 0) {
	- x1 += (y1 * (x1 - x2)) / (y2 - y1);
	- y1 = 0;
	- }
	- if (y2 < 0) {
	- x2 += (y2 * (x1 - x2)) / (y2 - y1);
	- y2 = 0;
	- }
	-
	- /* bottom edge */
	- if (y1 >= im->sy && y2 >= im->sy) {
	- return;
	- }
	- if (y1 >= im->sy) {
	- x1 -= ((im->sy - y1) * (x1 - x2)) / (y2 - y1);
	- y1 = im->sy - 1;
	- }
	- if (y2 >= im->sy) {
	- x2 -= ((im->sy - y2) * (x1 - x2)) / (y2 - y1);
	- y2 = im->sy - 1;
	- }
	-
	- /* left edge */
	- if (x1 < 0 && x2 < 0) {
	- return;
	- }
	- if (x1 < 0) {
	- y1 += (x1 * (y1 - y2)) / (x2 - x1);
	- x1 = 0;
	- }
	- if (x2 < 0) {
	- y2 += (x2 * (y1 - y2)) / (x2 - x1);
	- x2 = 0;
	- }
	- /* right edge */
	- if (x1 >= im->sx && x2 >= im->sx) {
	+ /* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */
	+ if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) \|\| !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) {
	return;
	}
	- if (x1 >= im->sx) {
	- y1 -= ((im->sx - x1) * (y1 - y2)) / (x2 - x1);
	- x1 = im->sx - 1;
	- }
	- if (x2 >= im->sx) {
	- y2 -= ((im->sx - x2) * (y1 - y2)) / (x2 - x1);
	- x2 = im->sx - 1;
	- }

	dx = x2 - x1;
	dy = y2 - y1;
	diff --git a/ext/gd/tests/bug72482.phpt b/ext/gd/tests/bug72482.phpt
	new file mode 100644
	index 0000000..ac92077
	--- /dev/null
	+++ b/ext/gd/tests/bug72482.phpt
	@@ -0,0 +1,19 @@
	+--TEST--
	+Bug #72482 (Ilegal write/read access caused by gdImageAALine overflow)
	+--SKIPIF--
	+<?php
	+if (!extension_loaded('gd')) die('skip gd extension not available');
	+?>
	+--FILE--
	+<?php
	+$img = imagecreatetruecolor(13, 1007);
	+imageantialias($img, true);
	+imageline($img, 0, 0, 1073745919, 1073745919, 4096);
	+
	+$img = imagecreatetruecolor(100, 100);
	+imageantialias($img, true);
	+imageline($img, 1094795585, 0, 2147483647, 255, 0xff);
	+?>
	+===DONE===
	+--EXPECT--
	+===DONE===
	diff --git a/ext/gd/tests/bug72482_2.phpt b/ext/gd/tests/bug72482_2.phpt
	new file mode 100644
	index 0000000..9836884
	--- /dev/null
	+++ b/ext/gd/tests/bug72482_2.phpt
	@@ -0,0 +1,21 @@
	+--TEST--
	+Bug 72482 (Ilegal write/read access caused by gdImageAALine overflow)
	+--SKIPIF--
	+<?php
	+if (!extension_loaded('gd')) die('skip gd extension not available');
	+?>
	+--FILE--
	+<?php
	+require_once __DIR__ . DIRECTORY_SEPARATOR . 'func.inc';
	+
	+$im = imagecreatetruecolor(10, 10);
	+imagefilledrectangle($im, 0, 0, 9, 9, imagecolorallocate($im, 255, 255, 255));
	+imageantialias($im, true);
	+imageline($im, 0, 0, 10, 10, imagecolorallocate($im, 0, 0, 0));
	+
	+test_image_equals_file(__DIR__ . DIRECTORY_SEPARATOR . 'bug72482_2.png', $im);
	+?>
	+===DONE===
	+--EXPECT--
	+The images are equal.
	+===DONE===
	diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
	index e7cbd1f..22ad05a 100644
	--- a/ext/spl/spl_array.c
	+++ b/ext/spl/spl_array.c
	@@ -1812,7 +1812,6 @@ SPL_METHOD(Array, unserialize)
	ALLOC_INIT_ZVAL(intern->array);
	if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)
	\|\| (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) {
	- // zval_ptr_dtor(&intern->array);
	goto outexcept;
	}
	var_push_dtor(&var_hash, &intern->array);