1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
From e9ac8954be9f7d988189df44578d759ffdea3512 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 18 Jun 2016 21:04:33 -0700
Subject: [PATCH] Fix bug #72298 pass2_no_dither out-of-bounds access
---
ext/gd/libgd/gd_topal.c | 14 +++++++-------
ext/gd/tests/bug72298.phpt | 15 +++++++++++++++
2 files changed, 22 insertions(+), 7 deletions(-)
create mode 100644 ext/gd/tests/bug72298.phpt
diff --git a/ext/gd/libgd/gd_topal.c b/ext/gd/libgd/gd_topal.c
index b9cb928..d8dda45 100644
--- a/ext/gd/libgd/gd_topal.c
+++ b/ext/gd/libgd/gd_topal.c
@@ -43,7 +43,7 @@
* If it is not working, it's not Thomas G. Lane's fault.
*/
-/*
+/*
SETTING THIS ONE CAUSES STRIPED IMAGE
to be done: solve this
#define ORIGINAL_LIB_JPEG_REVERSE_ODD_ROWS
@@ -152,7 +152,7 @@
* color space, and repeatedly splits the "largest" remaining box until we
* have as many boxes as desired colors. Then the mean color in each
* remaining box becomes one of the possible output colors.
- *
+ *
* The second pass over the image maps each input pixel to the closest output
* color (optionally after applying a Floyd-Steinberg dithering correction).
* This mapping is logically trivial, but making it go fast enough requires
@@ -1320,16 +1320,16 @@ pass2_no_dither (j_decompress_ptr cinfo,
#else
r = gdTrueColorGetRed (*inptr);
g = gdTrueColorGetGreen (*inptr);
- /*
+ /*
2.0.24: inptr must not be incremented until after
- transparency check, if any. Thanks to "Super Pikeman."
+ transparency check, if any. Thanks to "Super Pikeman."
*/
b = gdTrueColorGetBlue (*inptr);
/* If the pixel is transparent, we assign it the palette index that
* will later be added at the end of the palette as the transparent
* index. */
- if ((oim->transparent >= 0) && (oim->transparent == *(inptr - 1)))
+ if ((oim->transparent >= 0) && (oim->transparent == *inptr))
{
*outptr++ = nim->colorsTotal;
inptr++;
@@ -1795,7 +1795,7 @@ static void gdImageTrueColorToPaletteBody (gdImagePtr oim, int dither, int color
}
} else {
nim = oim;
- }
+ }
if (!oim->trueColor)
{
/* (Almost) nothing to do! */
@@ -2004,7 +2004,7 @@ static void gdImageTrueColorToPaletteBody (gdImagePtr oim, int dither, int color
}
/* Success! Get rid of the truecolor image data. */
- if (!cimP) {
+ if (!cimP) {
oim->trueColor = 0;
/* Junk the truecolor pixels */
for (i = 0; i < oim->sy; i++)
diff --git a/ext/gd/tests/bug72298.phpt b/ext/gd/tests/bug72298.phpt
new file mode 100644
index 0000000..7fba241
--- /dev/null
+++ b/ext/gd/tests/bug72298.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #72298: pass2_no_dither out-of-bounds access
+--SKIPIF--
+<?php
+ if (!extension_loaded('gd')) die("skip gd extension not available\n");
+?>
+--FILE--
+<?php
+$img = imagecreatetruecolor (1 , 1);
+imagecolortransparent($img, 0);
+imagetruecolortopalette($img, false, 4);
+?>
+DONE
+--EXPECT--
+DONE
\ No newline at end of file
|
