From 22b274864edbc4052b961c5d14beecf665b46c49 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Sat, 10 Sep 2016 10:14:22 +0200 Subject: PHP 5.5.38 + security patches from 5.6.25 --- bug72697.patch | 94 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 bug72697.patch (limited to 'bug72697.patch') diff --git a/bug72697.patch b/bug72697.patch new file mode 100644 index 0000000..a29ff7a --- /dev/null +++ b/bug72697.patch @@ -0,0 +1,94 @@ +Backported from 5.6.25 by Remi. + +From 4d76676101f8814520ea988e42b3bda54eb9e255 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 10 Aug 2016 00:00:14 -0700 +Subject: [PATCH] Fix bug#72697 - select_colors write out-of-bounds + +--- + ext/gd/gd.c | 16 ++++++++-------- + ext/gd/tests/bug72697.phpt | 17 +++++++++++++++++ + 2 files changed, 25 insertions(+), 8 deletions(-) + create mode 100644 ext/gd/tests/bug72697.phpt + +diff --git a/ext/gd/gd.c b/ext/gd/gd.c +index b96f901..5c604b7 100644 +--- a/ext/gd/gd.c ++++ b/ext/gd/gd.c +@@ -1615,11 +1615,11 @@ PHP_FUNCTION(imagetruecolortopalette) + + ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd); + +- if (ncolors <= 0) { +- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero"); ++ if (ncolors <= 0 || ncolors > INT_MAX) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero and no more than %d", INT_MAX); + RETURN_FALSE; + } +- gdImageTrueColorToPalette(im, dither, ncolors); ++ gdImageTrueColorToPalette(im, dither, (int)ncolors); + + RETURN_TRUE; + } +diff --git a/ext/gd/tests/bug72697.phpt b/ext/gd/tests/bug72697.phpt +new file mode 100644 +index 0000000..6110385 +--- /dev/null ++++ b/ext/gd/tests/bug72697.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #72697: select_colors write out-of-bounds ++--SKIPIF-- ++ ++--FILE-- ++ ++DONE ++--EXPECTF-- ++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than 2147483647 in %sbug72697.php on line %d ++DONE +\ No newline at end of file + +From 64e4b276bda8bfa504df8acb40d07369b8d124b3 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 16 Aug 2016 16:47:53 -0700 +Subject: [PATCH] fix tests + +--- + ext/gd/tests/imagetruecolortopalette_error3.phpt | 2 +- + ext/gd/tests/imagetruecolortopalette_error4.phpt | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/gd/tests/imagetruecolortopalette_error3.phpt b/ext/gd/tests/imagetruecolortopalette_error3.phpt +index d65a995..dbbdb08 100644 +--- a/ext/gd/tests/imagetruecolortopalette_error3.phpt ++++ b/ext/gd/tests/imagetruecolortopalette_error3.phpt +@@ -25,4 +25,4 @@ Warning: imagetruecolortopalette() expects parameter 3 to be long, resource give + + Warning: imagetruecolortopalette() expects parameter 3 to be long, array given in %s on line %d + +-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d +\ No newline at end of file ++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d +\ No newline at end of file +diff --git a/ext/gd/tests/imagetruecolortopalette_error4.phpt b/ext/gd/tests/imagetruecolortopalette_error4.phpt +index b9661e3..1d56bfc 100644 +--- a/ext/gd/tests/imagetruecolortopalette_error4.phpt ++++ b/ext/gd/tests/imagetruecolortopalette_error4.phpt +@@ -16,6 +16,6 @@ imagetruecolortopalette($image, true, -1); + + ?> + --EXPECTF-- +-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d ++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d + +-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d +\ No newline at end of file ++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d +\ No newline at end of file -- cgit