Instantly share code, notes, and snippets.

anonymous /72730.diff Secret
Created Aug 10, 2016

Embed
What would you like to do?
Patch for 72730
commit 047fe0ed03093a496691d376fcf51a7e2f1d04b0
Author: Stanislav Malyshev <stas@php.net>
Date: Wed Aug 10 00:14:58 2016 -0700
Fix bug #72730 - imagegammacorrect allows arbitrary write access
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index cdfbaa2..f858cc7 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -3075,6 +3075,11 @@ PHP_FUNCTION(imagegammacorrect)
return;
}
+ if ( input <= 0.0 || output <= 0.0 ) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Gamma values should be positive");
+ RETURN_FALSE;
+ }
+
ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd);
if (gdImageTrueColor(im)) {
diff --git a/ext/gd/tests/bug72730.phpt b/ext/gd/tests/bug72730.phpt
new file mode 100644
index 0000000..e7c13cb
--- /dev/null
+++ b/ext/gd/tests/bug72730.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #72730: imagegammacorrect allows arbitrary write access
+--SKIPIF--
+<?php
+if (!function_exists("imagecreatetruecolor")) die("skip");
+?>
+--FILE--
+<?php
+$img = imagecreatetruecolor(1, 1);
+imagegammacorrect($img, -1, 1337);
+?>
+DONE
+--EXPECTF--
+Warning: imagegammacorrect(): Gamma values should be positive in %sbug72730.php on line %d
+DONE
\ No newline at end of file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment