fix #72512, invalid read or write for palette image when invalid tran…

…sparent index is used Conflicts: ext/gd/libgd/gd.c
php · Jul 19, 2016 · 928aecc · 928aecc
1 parent 33c1a55
commit 928aecc
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 3 deletions.
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
@@ -602,11 +602,11 @@ void gdImageColorTransparent (gdImagePtr im, int color)
 	if (color < 0) {
 		return;
 	}
-
 	if (!im->trueColor) {
-		if((color >= gdMaxColors)) {
+		if((color >= im->colorsTotal)) {
 			return;
 		}
+		/* Make the old transparent color opaque again */
 		if (im->transparent != -1) {
 			im->alpha[im->transparent] = gdAlphaOpaque;
 		}

diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c
@@ -1247,7 +1247,13 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int
 	if (new_img == NULL) {
 		return NULL;
 	}
-	new_img->transparent = gdTrueColorAlpha(im->red[transparent], im->green[transparent], im->blue[transparent], im->alpha[transparent]);
+
+	if (transparent < 0) {
+		/* uninitialized */
+		new_img->transparent = -1;
+	} else {
+		new_img->transparent = gdTrueColorAlpha(im->red[transparent], im->green[transparent], im->blue[transparent], im->alpha[transparent]);
+	}
 
 	for (i=0; i < _height; i++) {
 		long j;

diff --git a/ext/gd/tests/bug72512.phpt b/ext/gd/tests/bug72512.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #19366 (gdimagefill() function crashes (fixed in bundled libgd))
+--SKIPIF--
+<?php
+	if (!extension_loaded('gd')) die("skip gd extension not available\n");
+?>
+--FILE--
+<?php
+$img = imagecreatetruecolor(100, 100);
+imagecolortransparent($img, -1000000);
+imagetruecolortopalette($img, TRUE, 3);
+imagecolortransparent($img, 9);
+echo "OK";
+?>
+--EXPECT--
+OK
+