php bug 72519, invalid color index for transparent color can lead to OOB

2016-07-19 14:38:26 +07:00 · 2016-07-19 14:38:26 +07:00 · 118fc7098b
parent 973cac8f3f
commit 118fc7098b
8 changed files with 59 additions and 1 deletions
--- a/src/gd.c
+++ b/src/gd.c
@ -711,6 +711,10 @@ BGD_DECLARE(void) gdImageColorDeallocate (gdImagePtr im, int color)

 BGD_DECLARE(void) gdImageColorTransparent (gdImagePtr im, int color)
 {
+	if (color < 0) {
+		return;
+	}
+
 	if (!im->trueColor) {
 		if((color < -1) || (color >= gdMaxColors)) {
 			return;
--- a/src/gd_interpolation.c
+++ b/src/gd_interpolation.c
@ -1167,7 +1167,13 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int
 	if (new_img == NULL) {
 		return NULL;
 	}
-	new_img->transparent = gdTrueColorAlpha(im->red[transparent], im->green[transparent], im->blue[transparent], im->alpha[transparent]);
+
+	if (transparent < 0) {
+		/* uninitialized */
+		new_img->transparent = -1;
+	} else {
+		new_img->transparent = gdTrueColorAlpha(im->red[transparent], im->green[transparent], im->blue[transparent], im->alpha[transparent]);
+	}

 	for (i=0; i < _height; i++) {
 		long j;
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@ -50,6 +50,7 @@ if (BUILD_TEST)
 		gdimagesetpixel
 		gdimagestringft
 		gdimagestringftex
+		gdimagetruecolortopalette
 		gdinterpolatedscale
 		gdnewfilectx
 		gdtest
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@ -44,6 +44,7 @@ include gdimagescatterex/Makemodule.am
 include gdimagesetpixel/Makemodule.am
 include gdimagestringft/Makemodule.am
 include gdimagestringftex/Makemodule.am
+include gdimagetruecolortopalette/Makemodule.am
 include gdinterpolatedscale/Makemodule.am
 include gdnewfilectx/Makemodule.am
 include gdtest/Makemodule.am
--- a/tests/gdimagetruecolortopalette/.gitignore
+++ b/tests/gdimagetruecolortopalette/.gitignore
@ -0,0 +1 @@
+/php_bug_72512
--- a/tests/gdimagetruecolortopalette/CMakeLists.txt
+++ b/tests/gdimagetruecolortopalette/CMakeLists.txt
@ -0,0 +1,5 @@
+SET(TESTS_FILES
+	php_bug_72512
+)
+
+ADD_GD_TESTS()
--- a/tests/gdimagetruecolortopalette/Makemodule.am
+++ b/tests/gdimagetruecolortopalette/Makemodule.am
@ -0,0 +1,6 @@
+
+libgd_test_programs += \
+	gdimagetruecolortopalette/php_bug_72512
+
+EXTRA_DIST += \
+	gdimagetruecolortopalette/CMakeLists.txt
--- a/tests/gdimagetruecolortopalette/php_bug_72512.c
+++ b/tests/gdimagetruecolortopalette/php_bug_72512.c
@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include "gd.h"
+
+#include "gdtest.h"
+
+int main()
+{
+	gdImagePtr im, im2;
+	int error = 0;
+
+	im = gdImageCreateTrueColor(100, 100);
+
+	if (im == NULL) {
+		gdTestErrorMsg("gdImageCreateTruecolor failed");
+		error = 1;
+		goto exit;
+	}
+	gdImageColorTransparent(im, -1);
+	gdImageTrueColorToPalette(im, 1, 3);
+	gdImageColorTransparent(im, 9);
+	im2 = gdImageScale(im, 1, 65535);
+	if (im2 == NULL) {
+		error = 1;
+		goto freeim;
+	} else {
+		gdImageDestroy(im2);
+	}
+
+freeim:
+	gdImageDestroy(im);
+exit:
+	return error;
+}