Permalink
Browse files

[Security] Prevent illegal write/read access caused by gdImageAALine …

…overflow

Summary: As titled.

Reviewed By: markw65

Differential Revision: D4430384

fbshipit-source-id: 93e28287f936e2748f3806fa85818ba78b56db48
  • Loading branch information...
fredemmott committed Jan 9, 2018
1 parent 80855dc commit b0c2d0114a47079819566afcc17467b0a92cefde
@@ -1117,7 +1117,7 @@ void gdImageLine (gdImagePtr im, int x1, int y1, int x2, int y2, int color)
}
/* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */
if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im))) {
if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) {
return;
}
@@ -1303,55 +1303,10 @@ void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col)
long x, y, inc, frac;
long dx, dy,tmp;
if (y1 < 0 && y2 < 0) {
return;
}
if (y1 < 0) {
x1 += (y1 * (x1 - x2)) / (y2 - y1);
y1 = 0;
}
if (y2 < 0) {
x2 += (y2 * (x1 - x2)) / (y2 - y1);
y2 = 0;
}
/* bottom edge */
if (y1 >= im->sy && y2 >= im->sy) {
return;
}
if (y1 >= im->sy) {
x1 -= ((im->sy - y1) * (x1 - x2)) / (y2 - y1);
y1 = im->sy - 1;
}
if (y2 >= im->sy) {
x2 -= ((im->sy - y2) * (x1 - x2)) / (y2 - y1);
y2 = im->sy - 1;
}
/* left edge */
if (x1 < 0 && x2 < 0) {
return;
}
if (x1 < 0) {
y1 += (x1 * (y1 - y2)) / (x2 - x1);
x1 = 0;
}
if (x2 < 0) {
y2 += (x2 * (y1 - y2)) / (x2 - x1);
x2 = 0;
}
/* right edge */
if (x1 >= im->sx && x2 >= im->sx) {
/* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */
if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) {
return;
}
if (x1 >= im->sx) {
y1 -= ((im->sx - x1) * (y1 - y2)) / (x2 - x1);
x1 = im->sx - 1;
}
if (x2 >= im->sx) {
y2 -= ((im->sx - x2) * (y1 - y2)) / (x2 - x1);
x2 = im->sx - 1;
}
dx = x2 - x1;
dy = y2 - y1;
@@ -0,0 +1,8 @@
<?php
$img = imagecreatetruecolor(13, 1007);
imageantialias($img, true);
imageline($img, 0, 0, 1073745919, 1073745919, 4096);
$img = imagecreatetruecolor(100, 100);
imageantialias($img, true);
imageline($img, 1094795585, 0, 2147483647, 255, 0xff);
@@ -0,0 +1,3 @@
<?php
if(!extension_loaded('gd')){ die('skip gd extension not available'); }
?>
@@ -0,0 +1,9 @@
<?php
require_once 'func.inc';
$im = imagecreatetruecolor(10, 10);
imagefilledrectangle($im, 0, 0, 9, 9, imagecolorallocate($im, 255, 255, 255));
imageantialias($im, true);
imageline($im, 0, 0, 10, 10, imagecolorallocate($im, 0, 0, 0));
test_image_equals_file(__DIR__ . DIRECTORY_SEPARATOR . 'bug72482_2.png', $im);
@@ -0,0 +1 @@
The images are equal.
@@ -0,0 +1,3 @@
<?php
if(!extension_loaded('gd')){ die('skip gd extension not available'); }
?>
Binary file not shown.

0 comments on commit b0c2d01

Please sign in to comment.