Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix bug#72697 - select_colors write out-of-bounds
(cherry picked from commit b6f13a5)

Conflicts:
	ext/gd/gd.c
  • Loading branch information
weltling committed Aug 16, 2016
1 parent b735a44 commit 28022c9
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 3 deletions.
6 changes: 3 additions & 3 deletions ext/gd/gd.c
Expand Up @@ -1537,11 +1537,11 @@ PHP_FUNCTION(imagetruecolortopalette)
RETURN_FALSE;
}

if (ncolors <= 0) {
php_error_docref(NULL, E_WARNING, "Number of colors has to be greater than zero");
if (ncolors <= 0 || ZEND_LONG_INT_OVFL(ncolors)) {
php_error_docref(NULL, E_WARNING, "Number of colors has to be greater than zero and no more than %d", INT_MAX);
RETURN_FALSE;
}
gdImageTrueColorToPalette(im, dither, ncolors);
gdImageTrueColorToPalette(im, dither, (int)ncolors);

RETURN_TRUE;
}
Expand Down
17 changes: 17 additions & 0 deletions ext/gd/tests/bug72697.phpt
@@ -0,0 +1,17 @@
--TEST--
Bug #72697: select_colors write out-of-bounds
--SKIPIF--
<?php
if (!function_exists("imagecreatetruecolor")) die("skip");
if (PHP_INT_MAX !== 9223372036854775807) die("skip for 64-bit long systems only");
?>
--FILE--
<?php

$img=imagecreatetruecolor(10, 10);
imagetruecolortopalette($img, false, PHP_INT_MAX / 8);
?>
DONE
--EXPECTF--
Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than 2147483647 in %sbug72697.php on line %d
DONE

0 comments on commit 28022c9

Please sign in to comment.