diff options
| author | Remi Collet <fedora@famillecollet.com> | 2016-06-23 15:53:37 +0200 |
|---|---|---|
| committer | Remi Collet <fedora@famillecollet.com> | 2016-06-23 15:53:37 +0200 |
| commit | e2958a432947f16a89f196171a572abc1c506154 (patch) | |
| tree | de3eb8998c1b54f88954a46feccd716edd83c4ea /bug72298.patch | |
| parent | 003b71973f17c66ab9544546f693f290dbfa300e (diff) | |
PHP 5.4.45 with security fix from 5.5.37
Diffstat (limited to 'bug72298.patch')
| -rw-r--r-- | bug72298.patch | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/bug72298.patch b/bug72298.patch new file mode 100644 index 0000000..206578e --- /dev/null +++ b/bug72298.patch @@ -0,0 +1,93 @@ +From e9ac8954be9f7d988189df44578d759ffdea3512 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 18 Jun 2016 21:04:33 -0700 +Subject: [PATCH] Fix bug #72298 pass2_no_dither out-of-bounds access + +--- + ext/gd/libgd/gd_topal.c | 14 +++++++------- + ext/gd/tests/bug72298.phpt | 15 +++++++++++++++ + 2 files changed, 22 insertions(+), 7 deletions(-) + create mode 100644 ext/gd/tests/bug72298.phpt + +diff --git a/ext/gd/libgd/gd_topal.c b/ext/gd/libgd/gd_topal.c +index b9cb928..d8dda45 100644 +--- a/ext/gd/libgd/gd_topal.c ++++ b/ext/gd/libgd/gd_topal.c +@@ -43,7 +43,7 @@ + * If it is not working, it's not Thomas G. Lane's fault. + */ + +-/* ++/* + SETTING THIS ONE CAUSES STRIPED IMAGE + to be done: solve this + #define ORIGINAL_LIB_JPEG_REVERSE_ODD_ROWS +@@ -152,7 +152,7 @@ + * color space, and repeatedly splits the "largest" remaining box until we + * have as many boxes as desired colors. Then the mean color in each + * remaining box becomes one of the possible output colors. +- * ++ * + * The second pass over the image maps each input pixel to the closest output + * color (optionally after applying a Floyd-Steinberg dithering correction). + * This mapping is logically trivial, but making it go fast enough requires +@@ -1320,16 +1320,16 @@ pass2_no_dither (j_decompress_ptr cinfo, + #else + r = gdTrueColorGetRed (*inptr); + g = gdTrueColorGetGreen (*inptr); +- /* ++ /* + 2.0.24: inptr must not be incremented until after +- transparency check, if any. Thanks to "Super Pikeman." ++ transparency check, if any. Thanks to "Super Pikeman." + */ + b = gdTrueColorGetBlue (*inptr); + + /* If the pixel is transparent, we assign it the palette index that + * will later be added at the end of the palette as the transparent + * index. */ +- if ((oim->transparent >= 0) && (oim->transparent == *(inptr - 1))) ++ if ((oim->transparent >= 0) && (oim->transparent == *inptr)) + { + *outptr++ = nim->colorsTotal; + inptr++; +@@ -1795,7 +1795,7 @@ static void gdImageTrueColorToPaletteBody (gdImagePtr oim, int dither, int color + } + } else { + nim = oim; +- } ++ } + if (!oim->trueColor) + { + /* (Almost) nothing to do! */ +@@ -2004,7 +2004,7 @@ static void gdImageTrueColorToPaletteBody (gdImagePtr oim, int dither, int color + } + + /* Success! Get rid of the truecolor image data. */ +- if (!cimP) { ++ if (!cimP) { + oim->trueColor = 0; + /* Junk the truecolor pixels */ + for (i = 0; i < oim->sy; i++) +diff --git a/ext/gd/tests/bug72298.phpt b/ext/gd/tests/bug72298.phpt +new file mode 100644 +index 0000000..7fba241 +--- /dev/null ++++ b/ext/gd/tests/bug72298.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #72298: pass2_no_dither out-of-bounds access ++--SKIPIF-- ++<?php ++ if (!extension_loaded('gd')) die("skip gd extension not available\n"); ++?> ++--FILE-- ++<?php ++$img = imagecreatetruecolor (1 , 1); ++imagecolortransparent($img, 0); ++imagetruecolortopalette($img, false, 4); ++?> ++DONE ++--EXPECT-- ++DONE +\ No newline at end of file |