Skip to content

Instantly share code, notes, and snippets.

/72730.diff Secret
Created Aug 10, 2016

Embed
What would you like to do?
Patch for 72730
commit 047fe0ed03093a496691d376fcf51a7e2f1d04b0
Author: Stanislav Malyshev <stas@php.net>
Date: Wed Aug 10 00:14:58 2016 -0700
Fix bug #72730 - imagegammacorrect allows arbitrary write access
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index cdfbaa2..f858cc7 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -3075,6 +3075,11 @@ PHP_FUNCTION(imagegammacorrect)
return;
}
+ if ( input <= 0.0 || output <= 0.0 ) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Gamma values should be positive");
+ RETURN_FALSE;
+ }
+
ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd);
if (gdImageTrueColor(im)) {
diff --git a/ext/gd/tests/bug72730.phpt b/ext/gd/tests/bug72730.phpt
new file mode 100644
index 0000000..e7c13cb
--- /dev/null
+++ b/ext/gd/tests/bug72730.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #72730: imagegammacorrect allows arbitrary write access
+--SKIPIF--
+<?php
+if (!function_exists("imagecreatetruecolor")) die("skip");
+?>
+--FILE--
+<?php
+$img = imagecreatetruecolor(1, 1);
+imagegammacorrect($img, -1, 1337);
+?>
+DONE
+--EXPECTF--
+Warning: imagegammacorrect(): Gamma values should be positive in %sbug72730.php on line %d
+DONE
\ No newline at end of file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.