From e9ac8954be9f7d988189df44578d759ffdea3512 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 18 Jun 2016 21:04:33 -0700
Subject: [PATCH] Fix bug #72298	pass2_no_dither out-of-bounds access

---
 ext/gd/libgd/gd_topal.c    | 14 +++++++-------
 ext/gd/tests/bug72298.phpt | 15 +++++++++++++++
 2 files changed, 22 insertions(+), 7 deletions(-)
 create mode 100644 ext/gd/tests/bug72298.phpt

diff --git a/ext/gd/libgd/gd_topal.c b/ext/gd/libgd/gd_topal.c
index b9cb928..d8dda45 100644
--- a/ext/gd/libgd/gd_topal.c
+++ b/ext/gd/libgd/gd_topal.c
@@ -43,7 +43,7 @@
  * If it is not working, it's not Thomas G. Lane's fault.
  */
 
-/* 
+/*
   SETTING THIS ONE CAUSES STRIPED IMAGE
   to be done: solve this
   #define ORIGINAL_LIB_JPEG_REVERSE_ODD_ROWS
@@ -152,7 +152,7 @@
  * color space, and repeatedly splits the "largest" remaining box until we
  * have as many boxes as desired colors.  Then the mean color in each
  * remaining box becomes one of the possible output colors.
- * 
+ *
  * The second pass over the image maps each input pixel to the closest output
  * color (optionally after applying a Floyd-Steinberg dithering correction).
  * This mapping is logically trivial, but making it go fast enough requires
@@ -1320,16 +1320,16 @@ pass2_no_dither (j_decompress_ptr cinfo,
 #else
 	  r = gdTrueColorGetRed (*inptr);
 	  g = gdTrueColorGetGreen (*inptr);
-	  /* 
+	  /*
 	     2.0.24: inptr must not be incremented until after
-	     transparency check, if any. Thanks to "Super Pikeman." 
+	     transparency check, if any. Thanks to "Super Pikeman."
 	   */
 	  b = gdTrueColorGetBlue (*inptr);
 
 	  /* If the pixel is transparent, we assign it the palette index that
 	   * will later be added at the end of the palette as the transparent
 	   * index. */
-	  if ((oim->transparent >= 0) && (oim->transparent == *(inptr - 1)))
+	  if ((oim->transparent >= 0) && (oim->transparent == *inptr))
 	    {
 	      *outptr++ = nim->colorsTotal;
 	      inptr++;
@@ -1795,7 +1795,7 @@ static void gdImageTrueColorToPaletteBody (gdImagePtr oim, int dither, int color
     }
   } else {
     nim = oim;
-  }     
+  }
   if (!oim->trueColor)
     {
       /* (Almost) nothing to do! */
@@ -2004,7 +2004,7 @@ static void gdImageTrueColorToPaletteBody (gdImagePtr oim, int dither, int color
     }
 
   /* Success! Get rid of the truecolor image data. */
-  if (!cimP) { 
+  if (!cimP) {
     oim->trueColor = 0;
     /* Junk the truecolor pixels */
     for (i = 0; i < oim->sy; i++)
diff --git a/ext/gd/tests/bug72298.phpt b/ext/gd/tests/bug72298.phpt
new file mode 100644
index 0000000..7fba241
--- /dev/null
+++ b/ext/gd/tests/bug72298.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #72298: pass2_no_dither out-of-bounds access
+--SKIPIF--
+<?php
+	if (!extension_loaded('gd')) die("skip gd extension not available\n");
+?>
+--FILE--
+<?php
+$img = imagecreatetruecolor (1 , 1); 
+imagecolortransparent($img, 0);
+imagetruecolortopalette($img, false, 4);
+?>
+DONE
+--EXPECT--
+DONE
\ No newline at end of file