Skip to content

Commit 28022c9

Browse files
committed
Fix bug#72697 - select_colors write out-of-bounds
(cherry picked from commit b6f13a5) Conflicts: ext/gd/gd.c
1 parent b735a44 commit 28022c9

File tree

2 files changed

+20
-3
lines changed

2 files changed

+20
-3
lines changed

Diff for: ext/gd/gd.c

+3-3
Original file line numberDiff line numberDiff line change
@@ -1537,11 +1537,11 @@ PHP_FUNCTION(imagetruecolortopalette)
15371537
RETURN_FALSE;
15381538
}
15391539

1540-
if (ncolors <= 0) {
1541-
php_error_docref(NULL, E_WARNING, "Number of colors has to be greater than zero");
1540+
if (ncolors <= 0 || ZEND_LONG_INT_OVFL(ncolors)) {
1541+
php_error_docref(NULL, E_WARNING, "Number of colors has to be greater than zero and no more than %d", INT_MAX);
15421542
RETURN_FALSE;
15431543
}
1544-
gdImageTrueColorToPalette(im, dither, ncolors);
1544+
gdImageTrueColorToPalette(im, dither, (int)ncolors);
15451545

15461546
RETURN_TRUE;
15471547
}

Diff for: ext/gd/tests/bug72697.phpt

+17
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
--TEST--
2+
Bug #72697: select_colors write out-of-bounds
3+
--SKIPIF--
4+
<?php
5+
if (!function_exists("imagecreatetruecolor")) die("skip");
6+
if (PHP_INT_MAX !== 9223372036854775807) die("skip for 64-bit long systems only");
7+
?>
8+
--FILE--
9+
<?php
10+
11+
$img=imagecreatetruecolor(10, 10);
12+
imagetruecolortopalette($img, false, PHP_INT_MAX / 8);
13+
?>
14+
DONE
15+
--EXPECTF--
16+
Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than 2147483647 in %sbug72697.php on line %d
17+
DONE

0 commit comments

Comments
 (0)