GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.
(cherry picked from commit 5b5d9db3988b829e0b121b74bb3947f01c2796a1)
We must not pretend that there are image data if there are none. Instead
we fail reading the image file gracefully.
(cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab)
We add PHP bindings for libgd's features to read and write BMP files, which
are available as of libgd 2.1.0.
As PHP's bundled libgd doesn't yet include the respective features of the
external libgd, we add these.
* PHP-7.1:
Fixed bug #73418 Integer Overflow in "_php_imap_mail" leads to crash
Fixed bug #73418 Integer Overflow in "_php_imap_mail" leads to crash
Fix#72696: imagefilltoborder stackoverflow on truecolor images
Fix#72482: Ilegal write/read access caused by gdImageAALine overflow
Fix bug #73144 and bug #73341 - remove extra dtor
remove unreferenced var came in with merge
Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handle
Fix#72696: imagefilltoborder stackoverflow on truecolor images
Fix#72482: Ilegal write/read access caused by gdImageAALine overflow
fix version
set versions
Fix bug #73144 and bug #73341 - remove extra dtor
Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handle
* PHP-7.0:
Fixed bug #73418 Integer Overflow in "_php_imap_mail" leads to crash
Fixed bug #73418 Integer Overflow in "_php_imap_mail" leads to crash
Fix#72696: imagefilltoborder stackoverflow on truecolor images
Fix#72482: Ilegal write/read access caused by gdImageAALine overflow
Fix bug #73144 and bug #73341 - remove extra dtor
remove unreferenced var came in with merge
Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handle
Fix#72696: imagefilltoborder stackoverflow on truecolor images
Fix#72482: Ilegal write/read access caused by gdImageAALine overflow
fix version
set versions
Fix bug #73144 and bug #73341 - remove extra dtor
Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handle
* phpsec/PHP-7.0.13:
Fixed bug #73418 Integer Overflow in "_php_imap_mail" leads to crash
Fix#72696: imagefilltoborder stackoverflow on truecolor images
Fix#72482: Ilegal write/read access caused by gdImageAALine overflow
Fix bug #73144 and bug #73341 - remove extra dtor
remove unreferenced var came in with merge
Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handle
fix version
set versions
We must not allow negative color values be passed to
gdImageFillToBorder(), because that can lead to infinite recursion
since the recursion termination condition will not necessarily be met.
(cherry picked from commit 863d37ea66)
Instead of rolling our own bounds check we use clip_1d() as it's done
in gdImageLine() and in external libgd. We must not pass the image
width and height, respectively, but rather the largest ordinate value
that is allowed to be accessed, i.e. width-1 and height-1,
respectively.
(cherry picked from commit 6499581af7)
We must not allow negative color values be passed to
gdImageFillToBorder(), because that can lead to infinite recursion
since the recursion termination condition will not necessarily be met.
Instead of rolling our own bounds check we use clip_1d() as it's done
in gdImageLine() and in external libgd. We must not pass the image
width and height, respectively, but rather the largest ordinate value
that is allowed to be accessed, i.e. width-1 and height-1,
respectively.
We expose the image resolution related GD functionality to userland
by introducing `imageresolution()` as getter/setter. Given only the
image argument, it returns the current resolution as indexed array.
Given only a second argument, it sets the horizontal and vertical
resolution to this value. Given three arguments, it sets the horizontal
and vertical resolution to the given arguments, respectively.
The color components are supposed to be in range 0..255, so we must not
cast them to `signed char`, what can be the default for `char`.
Port of <https://github.com/libgd/libgd/commit/77c8d359>.
There's no need anymore to call an own error handler directly. Instead we
register our error handler and call libgd's error functions (which will
forward). We do this regardless of compiling with the bundled or an external
libgd.
We're porting the relevant changes from
<https://github.com/libgd/libgd/commit/34a00a40>.
We also check the return value in the PHP binding, and throw E_WARNING if
the conversion failed.
gdImageOpenPolygon() has been introduced with líbgd 2.0.29, so we finally
add a PHP binding for it, and port the respective libgd functionality to
PHP's bundled libgd.
gdLayerMultiply() has been introduced in libgd 2.1.1, and as such would have
been already available for imagelayereffect() with a system libgd. We port
the respective code to the bundled libgd, and also make IMG_EFFECT_MULTIPLY
available to userland.
Instead of rolling our own in the bundled libgd, we use libgd's anti-aliased
drawing API. This way imageantialias() is also available, when built against
a system libgd.
Curiously, while the external GD claims "just a few vestiges after switching
to the fast, memory-cheap implementation from PHP-gd", that stuff was still
in the bundled GD.
We apply the law `(b**r)**s == b**(r*s)` which holds for all non-negative b
and positive r,s, so a single pow() suffices. Furthermore, we precompute the
gamma, so the refactored code is simpler and faster.
The recently introduced test_image_equals_file() doesn't properly work for
palette images, because in this case only the palette indexes are compared,
what can lead to false positives and negatives as shown in the added test.
To fix that we convert palette images to truecolor, what is supposed to be
faster than calling imagecolorsforindex() for each pixel.
We furthermore rely on PHP's refcounting to free unused images; after all,
this is not C.
The GD image format is able to handle truecolor images as of libgd 2.0.12
(<https://github.com/libgd/libgd/blob/gd-2.2.3/src/gd_gd.c#L31-L33>).
Therefore we don't need the potentially lossy and time consuming palette
conversion.
This way, imagegd() can also be used to export raw truecolor image data.
UTF-8 font file names are not yet supported on Windows[1], so we're skipping
the respective tests on this platform, but enable them on other platforms.
[1] <http://news.php.net/php.internals.win/1142>
Firstly, there is no fundamental difference between running the tests on
freetype before and after 2.4.10, so we re-join the respective test cases.
Secondly, there are some minor differences in the results depending on
architecture, freetype versions and config options, so we cater to that
by allowing small deviations from the expectations.
* integrate gd_arc.c into gd.c (as of gd-2.1.0-alpha1)
* rename gd_color.c to gd_color_match.c (as of gd-2.1.0-alpha1)
* remove mathmake.c (as of GD_2_0_34RC1)
* rename xbm.c to gd_xbm.c (as of gd-2.1.0-alpha1)
The earlier gdAlphaBlend() has been replaced with commit 1286d9e2, and has
been renamed to gdAlphaBlendOld(). The old function is, however, not used,
and after more than 9 years we're pretty sure we won't need it anymore.
Apparently, different FreeType versions render the string differently, so
we have to cater to these slight differences. Unfortunately, the testing
framework doesn't yet offer a clean API for this, so we work around the
limitations by parsing and checking the output of test_image_equals_file().
