Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix bug#72697 - select_colors write out-of-bounds
  • Loading branch information
smalyshev committed Aug 10, 2016
1 parent 620b013 commit b6f13a5
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 3 deletions.
6 changes: 3 additions & 3 deletions ext/gd/gd.c
Expand Up @@ -1651,11 +1651,11 @@ PHP_FUNCTION(imagetruecolortopalette)

ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd);

if (ncolors <= 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero");
if (ncolors <= 0 || ncolors > INT_MAX) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero and no more than %d", INT_MAX);
RETURN_FALSE;
}
gdImageTrueColorToPalette(im, dither, ncolors);
gdImageTrueColorToPalette(im, dither, (int)ncolors);

RETURN_TRUE;
}
Expand Down
17 changes: 17 additions & 0 deletions ext/gd/tests/bug72697.phpt
@@ -0,0 +1,17 @@
--TEST--
Bug #72697: select_colors write out-of-bounds
--SKIPIF--
<?php
if (!function_exists("imagecreatetruecolor")) die("skip");
if (PHP_INT_MAX !== 9223372036854775807) die("skip for 64-bit long systems only");
?>
--FILE--
<?php

$img=imagecreatetruecolor(10, 10);
imagetruecolortopalette($img, false, PHP_INT_MAX / 8);
?>
DONE
--EXPECTF--
Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than 2147483647 in %sbug72697.php on line %d
DONE

0 comments on commit b6f13a5

Please sign in to comment.