1 files changed, 94 insertions, 0 deletions
diff --git a/bug72697.patch b/bug72697.patch
new file mode 100644
index 0000000..a29ff7a
--- /dev/null
+++ b/bug72697.patch
@@ -0,0 +1,94 @@
+Backported from 5.6.25 by Remi.
+
+From 4d76676101f8814520ea988e42b3bda54eb9e255 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 10 Aug 2016 00:00:14 -0700
+Subject: [PATCH] Fix bug#72697 - select_colors write out-of-bounds
+
+---
+ ext/gd/gd.c                | 16 ++++++++--------
+ ext/gd/tests/bug72697.phpt | 17 +++++++++++++++++
+ 2 files changed, 25 insertions(+), 8 deletions(-)
+ create mode 100644 ext/gd/tests/bug72697.phpt
+
+diff --git a/ext/gd/gd.c b/ext/gd/gd.c
+index b96f901..5c604b7 100644
+--- a/ext/gd/gd.c
++++ b/ext/gd/gd.c
+@@ -1615,11 +1615,11 @@ PHP_FUNCTION(imagetruecolortopalette)
+ 
+ 	ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd);
+ 
+-	if (ncolors <= 0) {
+-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero");
++	if (ncolors <= 0 || ncolors > INT_MAX) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero and no more than %d", INT_MAX);
+ 		RETURN_FALSE;
+ 	}
+-	gdImageTrueColorToPalette(im, dither, ncolors);
++	gdImageTrueColorToPalette(im, dither, (int)ncolors);
+ 
+ 	RETURN_TRUE;
+ }
+diff --git a/ext/gd/tests/bug72697.phpt b/ext/gd/tests/bug72697.phpt
+new file mode 100644
+index 0000000..6110385
+--- /dev/null
++++ b/ext/gd/tests/bug72697.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #72697: select_colors write out-of-bounds
++--SKIPIF--
++<?php 
++if (!function_exists("imagecreatetruecolor")) die("skip");
++if (PHP_INT_MAX !== 9223372036854775807) die("skip for 64-bit long systems only");
++?>
++--FILE--
++<?php
++
++$img=imagecreatetruecolor(10, 10);
++imagetruecolortopalette($img, false, PHP_INT_MAX / 8);
++?>
++DONE
++--EXPECTF--
++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than 2147483647 in %sbug72697.php on line %d
++DONE
+\ No newline at end of file
+
+From 64e4b276bda8bfa504df8acb40d07369b8d124b3 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 16 Aug 2016 16:47:53 -0700
+Subject: [PATCH] fix tests
+
+---
+ ext/gd/tests/imagetruecolortopalette_error3.phpt | 2 +-
+ ext/gd/tests/imagetruecolortopalette_error4.phpt | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ext/gd/tests/imagetruecolortopalette_error3.phpt b/ext/gd/tests/imagetruecolortopalette_error3.phpt
+index d65a995..dbbdb08 100644
+--- a/ext/gd/tests/imagetruecolortopalette_error3.phpt
++++ b/ext/gd/tests/imagetruecolortopalette_error3.phpt
+@@ -25,4 +25,4 @@ Warning: imagetruecolortopalette() expects parameter 3 to be long, resource give
+ 
+ Warning: imagetruecolortopalette() expects parameter 3 to be long, array given in %s on line %d
+ 
+-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d
+\ No newline at end of file
++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d
+\ No newline at end of file
+diff --git a/ext/gd/tests/imagetruecolortopalette_error4.phpt b/ext/gd/tests/imagetruecolortopalette_error4.phpt
+index b9661e3..1d56bfc 100644
+--- a/ext/gd/tests/imagetruecolortopalette_error4.phpt
++++ b/ext/gd/tests/imagetruecolortopalette_error4.phpt
+@@ -16,6 +16,6 @@ imagetruecolortopalette($image, true, -1);
+ 
+ ?>
+ --EXPECTF--
+-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d
++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d
+ 
+-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d
+\ No newline at end of file
++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d
+\ No newline at end of file