Skip to content

Commit b6f13a5

Browse files
committed
Fix bug#72697 - select_colors write out-of-bounds
1 parent 620b013 commit b6f13a5

File tree

2 files changed

+20
-3
lines changed

2 files changed

+20
-3
lines changed

Diff for: ext/gd/gd.c

+3-3
Original file line numberDiff line numberDiff line change
@@ -1651,11 +1651,11 @@ PHP_FUNCTION(imagetruecolortopalette)
16511651

16521652
ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd);
16531653

1654-
if (ncolors <= 0) {
1655-
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero");
1654+
if (ncolors <= 0 || ncolors > INT_MAX) {
1655+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero and no more than %d", INT_MAX);
16561656
RETURN_FALSE;
16571657
}
1658-
gdImageTrueColorToPalette(im, dither, ncolors);
1658+
gdImageTrueColorToPalette(im, dither, (int)ncolors);
16591659

16601660
RETURN_TRUE;
16611661
}

Diff for: ext/gd/tests/bug72697.phpt

+17
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
--TEST--
2+
Bug #72697: select_colors write out-of-bounds
3+
--SKIPIF--
4+
<?php
5+
if (!function_exists("imagecreatetruecolor")) die("skip");
6+
if (PHP_INT_MAX !== 9223372036854775807) die("skip for 64-bit long systems only");
7+
?>
8+
--FILE--
9+
<?php
10+
11+
$img=imagecreatetruecolor(10, 10);
12+
imagetruecolortopalette($img, false, PHP_INT_MAX / 8);
13+
?>
14+
DONE
15+
--EXPECTF--
16+
Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than 2147483647 in %sbug72697.php on line %d
17+
DONE

0 commit comments

Comments
 (0)