Fixed bug #53492 (fix crash if anti-aliasing steps are invalid).

php · Dec 8, 2010 · 9501a3b · 9501a3b
1 parent 140a3a8
commit 9501a3b
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 7 deletions.
diff --git a/NEWS b/NEWS
@@ -1,21 +1,18 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-?? ??? 2010, PHP 5.2.15
-
-02 Dec 2010, PHP 5.2.15RC2
+09 Dec 2010, PHP 5.2.15
 - Fixed extract() to do not overwrite $GLOBALS and $this when using
-  EXTR_OVERWRITE. (jorto at redhat dot com)
-
-18 Nov 2010, PHP 5.2.15RC1
+  EXTR_OVERWRITE. (jorto at redhat dot com)  
 - Fixed crash in zip extract method (possible CWE-170). 
   (Maksymilian Arciemowicz, Pierre)
 - Fixed a possible double free in imap extension (Identified by Mateusz 
   Kocielski). (CVE-2010-4150). (Ilia)
 - Fixed possible flaw in open_basedir (CVE-2010-3436). (Pierre)
 - Fixed possible crash in mssql_fetch_batch(). (Kalle)
-
 - Fixed NULL pointer dereference in ZipArchive::getArchiveComment.
   (CVE-2010-3709). (Maksymilian Arciemowicz)
+
+- Fixed bug #53492 (fix crash if anti-aliasing steps are invalid). (Pierre)
 - Fixed bug #53323 (pdo_firebird getAttribute() crash).
   (preeves at ibphoenix dot com)
 - Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
@@ -4593,6 +4593,11 @@ PHP_FUNCTION(imagepstext)
 		return;
 	}
 
+	if (aa_steps != 4 || aa_steps != 16) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "AA steps must be 4 or 16");
+		RETURN_FALSE;
+	}
+
 	ZEND_FETCH_RESOURCE(bg_img, gdImagePtr, &img, -1, "Image", le_gd);
 	ZEND_FETCH_RESOURCE(f_ind, int *, &fnt, -1, "Type 1 font", le_ps_font);