Backported from 5.6.25 by Remi.

From 4d76676101f8814520ea988e42b3bda54eb9e255 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Wed, 10 Aug 2016 00:00:14 -0700
Subject: [PATCH] Fix bug#72697 - select_colors write out-of-bounds

---
 ext/gd/gd.c                | 16 ++++++++--------
 ext/gd/tests/bug72697.phpt | 17 +++++++++++++++++
 2 files changed, 25 insertions(+), 8 deletions(-)
 create mode 100644 ext/gd/tests/bug72697.phpt

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index b96f901..5c604b7 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1615,11 +1615,11 @@ PHP_FUNCTION(imagetruecolortopalette)
 
 	ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd);
 
-	if (ncolors <= 0) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero");
+	if (ncolors <= 0 || ncolors > INT_MAX) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero and no more than %d", INT_MAX);
 		RETURN_FALSE;
 	}
-	gdImageTrueColorToPalette(im, dither, ncolors);
+	gdImageTrueColorToPalette(im, dither, (int)ncolors);
 
 	RETURN_TRUE;
 }
diff --git a/ext/gd/tests/bug72697.phpt b/ext/gd/tests/bug72697.phpt
new file mode 100644
index 0000000..6110385
--- /dev/null
+++ b/ext/gd/tests/bug72697.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #72697: select_colors write out-of-bounds
+--SKIPIF--
+<?php 
+if (!function_exists("imagecreatetruecolor")) die("skip");
+if (PHP_INT_MAX !== 9223372036854775807) die("skip for 64-bit long systems only");
+?>
+--FILE--
+<?php
+
+$img=imagecreatetruecolor(10, 10);
+imagetruecolortopalette($img, false, PHP_INT_MAX / 8);
+?>
+DONE
+--EXPECTF--
+Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than 2147483647 in %sbug72697.php on line %d
+DONE
\ No newline at end of file

From 64e4b276bda8bfa504df8acb40d07369b8d124b3 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 16 Aug 2016 16:47:53 -0700
Subject: [PATCH] fix tests

---
 ext/gd/tests/imagetruecolortopalette_error3.phpt | 2 +-
 ext/gd/tests/imagetruecolortopalette_error4.phpt | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ext/gd/tests/imagetruecolortopalette_error3.phpt b/ext/gd/tests/imagetruecolortopalette_error3.phpt
index d65a995..dbbdb08 100644
--- a/ext/gd/tests/imagetruecolortopalette_error3.phpt
+++ b/ext/gd/tests/imagetruecolortopalette_error3.phpt
@@ -25,4 +25,4 @@ Warning: imagetruecolortopalette() expects parameter 3 to be long, resource give
 
 Warning: imagetruecolortopalette() expects parameter 3 to be long, array given in %s on line %d
 
-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d
\ No newline at end of file
+Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d
\ No newline at end of file
diff --git a/ext/gd/tests/imagetruecolortopalette_error4.phpt b/ext/gd/tests/imagetruecolortopalette_error4.phpt
index b9661e3..1d56bfc 100644
--- a/ext/gd/tests/imagetruecolortopalette_error4.phpt
+++ b/ext/gd/tests/imagetruecolortopalette_error4.phpt
@@ -16,6 +16,6 @@ imagetruecolortopalette($image, true, -1);
 
 ?>
 --EXPECTF--
-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d
+Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d
 
-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d
\ No newline at end of file
+Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d
\ No newline at end of file