Fix #330: Integer overflow in gdImageScaleBilinearPalette()

The color components are supposed to be in range 0..255, so we must not cast them to `signed char`, what can be the default for `char`.
libgd · Oct 10, 2016 · 77c8d35 · 77c8d35
1 parent 7ce5aea
commit 77c8d35
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 4 deletions.
diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
@@ -1267,10 +1267,10 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int
 			f_a4 = gd_itofx(gdTrueColorGetAlpha(pixel4));
 
 			{
-				const char red = (char) gd_fxtoi(gd_mulfx(f_w1, f_r1) + gd_mulfx(f_w2, f_r2) + gd_mulfx(f_w3, f_r3) + gd_mulfx(f_w4, f_r4));
-				const char green = (char) gd_fxtoi(gd_mulfx(f_w1, f_g1) + gd_mulfx(f_w2, f_g2) + gd_mulfx(f_w3, f_g3) + gd_mulfx(f_w4, f_g4));
-				const char blue = (char) gd_fxtoi(gd_mulfx(f_w1, f_b1) + gd_mulfx(f_w2, f_b2) + gd_mulfx(f_w3, f_b3) + gd_mulfx(f_w4, f_b4));
-				const char alpha = (char) gd_fxtoi(gd_mulfx(f_w1, f_a1) + gd_mulfx(f_w2, f_a2) + gd_mulfx(f_w3, f_a3) + gd_mulfx(f_w4, f_a4));
+				const unsigned char red = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_r1) + gd_mulfx(f_w2, f_r2) + gd_mulfx(f_w3, f_r3) + gd_mulfx(f_w4, f_r4));
+				const unsigned char green = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_g1) + gd_mulfx(f_w2, f_g2) + gd_mulfx(f_w3, f_g3) + gd_mulfx(f_w4, f_g4));
+				const unsigned char blue = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_b1) + gd_mulfx(f_w2, f_b2) + gd_mulfx(f_w3, f_b3) + gd_mulfx(f_w4, f_b4));
+				const unsigned char alpha = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_a1) + gd_mulfx(f_w2, f_a2) + gd_mulfx(f_w3, f_a3) + gd_mulfx(f_w4, f_a4));
 
 				new_img->tpixels[dst_offset_v][dst_offset_h] = gdTrueColorAlpha(red, green, blue, alpha);
 			}

diff --git a/tests/gdimagescale/.gitignore b/tests/gdimagescale/.gitignore
@@ -1,2 +1,3 @@
+/bug00330
 /github_bug_00218
 /bug_overflow_large_new_size
diff --git a/tests/gdimagescale/CMakeLists.txt b/tests/gdimagescale/CMakeLists.txt
@@ -1,4 +1,5 @@
 LIST(APPEND TESTS_FILES
+	bug00330
 	github_bug_00218
 	bug_overflow_large_new_size
 )

diff --git a/tests/gdimagescale/Makemodule.am b/tests/gdimagescale/Makemodule.am
@@ -1,5 +1,6 @@
 
 libgd_test_programs += \
+	gdimagescale/bug00330 \
 	gdimagescale/github_bug_00218 \
 	gdimagescale/bug_overflow_large_new_size
 

diff --git a/tests/gdimagescale/bug00330.c b/tests/gdimagescale/bug00330.c
@@ -0,0 +1,32 @@
+/**
+ * Regression test for <https://github.com/libgd/libgd/issues/330>.
+ *
+ * We're testing that after scaling a palette image, the center pixel actually
+ * has the expected color value.
+ */
+
+
+#include "gd.h"
+#include "gdtest.h"
+
+
+int main()
+{
+    gdImagePtr src, dst;
+    int color;
+
+    src = gdImageCreate(100, 100);
+    gdImageColorAllocate(src, 255, 255, 255);
+
+    gdImageSetInterpolationMethod(src, GD_BILINEAR_FIXED);
+    dst = gdImageScale(src, 200, 200);
+
+    color = gdImageGetPixel(dst, 99, 99);
+    gdTestAssertMsg(color == 0xffffff,
+                    "expected color ffffff, but got %x\n", color);
+
+    gdImageDestroy(src);
+    gdImageDestroy(dst);
+
+    return 0;
+}