From cd13d0260a9327af541176235e76cdef8af3a27a Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Tue, 25 Oct 2016 14:19:36 +0200 Subject: [PATCH] Fix #72494: imagecropauto out-of-bounds access This issue has actually already been fixed with commit 46f2c690. We're adding a regression test and a NEWS entry, and also port the fix in gdImageCropThreshold() from libgd: * * --- NEWS | 2 ++ ext/gd/libgd/gd_crop.c | 4 ++++ ext/gd/tests/bug72494.phpt | 15 +++++++++++++++ 3 files changed, 21 insertions(+) create mode 100644 ext/gd/tests/bug72494.phpt diff --git a/NEWS b/NEWS index fc2e52c11e0..d3cac7228ed 100644 --- a/NEWS +++ b/NEWS @@ -273,6 +273,8 @@ PHP NEWS . Fixed bug #72697 (select_colors write out-of-bounds). (Stas) . Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles). (cmb) . Fixed bug #72730 (imagegammacorrect allows arbitrary write access). (Stas) + . Fixed bug #72494 (imagecropauto out-of-bounds access). (Fernando, Pierre, + cmb) - Intl: . Partially fixed #72506 (idn_to_ascii for UTS #46 incorrect for long domain diff --git a/ext/gd/libgd/gd_crop.c b/ext/gd/libgd/gd_crop.c index 83315214465..58b630317dd 100644 --- a/ext/gd/libgd/gd_crop.c +++ b/ext/gd/libgd/gd_crop.c @@ -243,6 +243,10 @@ gdImagePtr gdImageCropThreshold(gdImagePtr im, const unsigned int color, const f return NULL; } + if (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im)) { + return NULL; + } + /* TODO: Add gdImageGetRowPtr and works with ptr at the row level * for the true color and palette images * new formats will simply work with ptr diff --git a/ext/gd/tests/bug72494.phpt b/ext/gd/tests/bug72494.phpt new file mode 100644 index 00000000000..f21de6ca3b8 --- /dev/null +++ b/ext/gd/tests/bug72494.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #72494 (imagecropauto out-of-bounds access) +--SKIPIF-- + +--FILE-- + +===DONE=== +--EXPECTF-- +Warning: imagecropauto(): Color argument missing with threshold mode in %s on line %d +===DONE===