Skip to content

Instantly share code, notes, and snippets.

/72482.diff Secret

Created October 30, 2016 21:29
Show Gist options
  • Save anonymous/873314feb4f89bd8336711333299f748 to your computer and use it in GitHub Desktop.
Save anonymous/873314feb4f89bd8336711333299f748 to your computer and use it in GitHub Desktop.
Patch for 72482
commit 6499581af76cfe986e12330faabb3a7c36d45ffc
Author: Christoph M. Becker <cmbecker69@gmx.de>
Date: Tue Oct 25 15:14:22 2016 +0200
Fix #72482: Ilegal write/read access caused by gdImageAALine overflow
Instead of rolling our own bounds check we use clip_1d() as it's done
in gdImageLine() and in external libgd. We must not pass the image
width and height, respectively, but rather the largest ordinate value
that is allowed to be accessed, i.e. width-1 and height-1,
respectively.
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index 033d4fa..058f1c9 100644
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -1117,7 +1117,7 @@ void gdImageLine (gdImagePtr im, int x1, int y1, int x2, int y2, int color)
}
/* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */
- if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im))) {
+ if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) {
return;
}
@@ -1301,55 +1301,10 @@ void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col)
long x, y, inc, frac;
long dx, dy,tmp;
- if (y1 < 0 && y2 < 0) {
- return;
- }
- if (y1 < 0) {
- x1 += (y1 * (x1 - x2)) / (y2 - y1);
- y1 = 0;
- }
- if (y2 < 0) {
- x2 += (y2 * (x1 - x2)) / (y2 - y1);
- y2 = 0;
- }
-
- /* bottom edge */
- if (y1 >= im->sy && y2 >= im->sy) {
- return;
- }
- if (y1 >= im->sy) {
- x1 -= ((im->sy - y1) * (x1 - x2)) / (y2 - y1);
- y1 = im->sy - 1;
- }
- if (y2 >= im->sy) {
- x2 -= ((im->sy - y2) * (x1 - x2)) / (y2 - y1);
- y2 = im->sy - 1;
- }
-
- /* left edge */
- if (x1 < 0 && x2 < 0) {
- return;
- }
- if (x1 < 0) {
- y1 += (x1 * (y1 - y2)) / (x2 - x1);
- x1 = 0;
- }
- if (x2 < 0) {
- y2 += (x2 * (y1 - y2)) / (x2 - x1);
- x2 = 0;
- }
- /* right edge */
- if (x1 >= im->sx && x2 >= im->sx) {
+ /* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */
+ if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) {
return;
}
- if (x1 >= im->sx) {
- y1 -= ((im->sx - x1) * (y1 - y2)) / (x2 - x1);
- x1 = im->sx - 1;
- }
- if (x2 >= im->sx) {
- y2 -= ((im->sx - x2) * (y1 - y2)) / (x2 - x1);
- x2 = im->sx - 1;
- }
dx = x2 - x1;
dy = y2 - y1;
diff --git a/ext/gd/tests/bug72482.phpt b/ext/gd/tests/bug72482.phpt
new file mode 100644
index 0000000..548921d
--- /dev/null
+++ b/ext/gd/tests/bug72482.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #72482 (Ilegal write/read access caused by gdImageAALine overflow)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$img = imagecreatetruecolor(13, 1007);
+imageantialias($img, true);
+imageline($img, 0, 0, 1073745919, 1073745919, 4096);
+
+$img = imagecreatetruecolor(100, 100);
+imageantialias($img, true);
+imageline($img, 1094795585, 0, 2147483647, 255, 0xff);
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/ext/gd/tests/bug72482_2.phpt b/ext/gd/tests/bug72482_2.phpt
new file mode 100644
index 0000000..a8a08fa
--- /dev/null
+++ b/ext/gd/tests/bug72482_2.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug 72482 (Ilegal write/read access caused by gdImageAALine overflow)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+require_once __DIR__ . DIRECTORY_SEPARATOR . 'func.inc';
+
+$im = imagecreatetruecolor(10, 10);
+imagefilledrectangle($im, 0, 0, 9, 9, imagecolorallocate($im, 255, 255, 255));
+imageantialias($im, true);
+imageline($im, 0, 0, 10, 10, imagecolorallocate($im, 0, 0, 0));
+
+test_image_equals_file(__DIR__ . DIRECTORY_SEPARATOR . 'bug72482_2.png', $im);
+?>
+===DONE===
+--EXPECT--
+The images are equal.
+===DONE===
diff --git a/ext/gd/tests/bug72482_2.png b/ext/gd/tests/bug72482_2.png
new file mode 100644
index 0000000..da90b2a
Binary files /dev/null and b/ext/gd/tests/bug72482_2.png differ
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment