Merge branch 'PHP-5.6' into PHP-7.0

* PHP-5.6: prevent invalid color index (palette only), may lead to crash Add CVE to #66387 add missing NEWS entry
kea · Jun 8, 2016 · 4d81bf9 · 4d81bf9
2 parents 99f8a55 + 6d3fa65
commit 4d81bf9
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 1 deletion.
diff --git a/NEWS b/NEWS
@@ -15,6 +15,9 @@ PHP                                                                        NEWS
   . Fixed bug #72308 (fastcgi_finish_request and logging environment
     variables). (Laruence)
 
+- GD:
+  . Fixed bug #72337 (invalid dimensions can lead to crash) (Pierre)
+
 - Intl:
   . Fixed bug #64524 (Add intl.use_exceptions to php.ini-*). (Anatol)
 
@@ -1005,7 +1008,8 @@ PHP                                                                        NEWS
 
 - GD:
   . Fixed bug #53156 (imagerectangle problem with point ordering). (cmb)
-  . Fixed bug #66387 (Stack overflow with imagefilltoborder). (cmb)
+  . Fixed bug #66387 (Stack overflow with imagefilltoborder). (CVE-2015-8874)
+    (cmb)
   . Fixed bug #70102 (imagecreatefromwebm() shifts colors). (cmb)
   . Fixed bug #66590 (imagewebp() doesn't pad to even length). (cmb)
   . Fixed bug #66882 (imagerotate by -90 degrees truncates image by 1px). (cmb)

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
@@ -1767,6 +1767,12 @@ void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color)
 		return;
 	}
 
+	if (!im->trueColor) {
+		if ((color > (im->colorsTotal - 1)) || (border > (im->colorsTotal - 1)) || (color < 0)) {
+			return;
+		}
+	}
+
 	restoreAlphaBlending = im->alphaBlendingFlag;
 	im->alphaBlendingFlag = 0;
 

diff --git a/ext/gd/tests/github_bug_215.phpt b/ext/gd/tests/github_bug_215.phpt
@@ -0,0 +1,43 @@
+--TEST-- 
+Github #215 (imagefilltoborder stack overflow when invalid pallete index used)
+--SKIPIF-- 
+<?php  
+if (!extension_loaded("gd")) die("skip GD not present"); 
+?> 
+--FILE--
+<?php
+$image = imagecreate( 10, 10 ); 
+$bgd = imagecolorallocate( $image, 0, 0, 0 );
+$border = imagecolorallocate( $image, 255, 0, 0 );
+$fillcolor = imagecolorallocate( $image, 255, 0, 0 );
+
+/* Use unallocated color index */
+imagefilltoborder( $image, 0,0, $border+10, $fillcolor);
+echo "#1 passes\n";
+
+/* Use negative color index */
+imagefilltoborder( $image, 0,0, -$border,  $fillcolor);
+echo "#2 passes\n";
+
+
+/* Use unallocated color index */
+imagefilltoborder( $image, 0,0, $border, $fillcolor+10);
+echo "#3 passes\n";
+
+/* Use negative color index */
+imagefilltoborder( $image, 0,0, $border, -$fillcolor);
+echo "#4 passes\n";
+
+
+/* Use negative color index */
+imagefilltoborder( $image, 0,0, $border+10, $fillcolor+10);
+echo "#5 passes";
+
+
+?> 
+--EXPECT-- 
+#1 passes
+#2 passes
+#3 passes
+#4 passes
+#5 passes