php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73279 Integer overflow in gdImageScaleBilinearPalette()
Submitted: 2016-10-10 09:25 UTC Modified: 2016-10-10 09:25 UTC
From: cmb@php.net Assigned: cmb (profile)
Status: Closed Package: GD related
PHP Version: 5.6Git-2016-10-10 (Git) OS: *
Private report: No CVE-ID: None
 [2016-10-10 09:25 UTC] cmb@php.net
Description:
------------
On platforms where `char` is actually `signed char` an integer
overflow can happen in `gdImageScaleBilinearPalette` due to sign
extension when `red`, `green` and `blue` are passed to
`gdTrueColorAlpha()`.

This issue has been reported against upstream libgd[1], but as
PHP's bundled libgd is affected as well, I'm forwarding.

[1] <https://github.com/libgd/libgd/issues/330>


Test script:
---------------
<?php

$src = imagecreate(100, 100);
imagecolorallocate($src, 255, 255, 255);
$dst = imagescale($src, 200, 200, IMG_BILINEAR_FIXED);
printf("color: %x\n", imagecolorat($dst, 99, 99));


Expected result:
----------------
color: ffffff

Actual result:
--------------
color: fffffffffffefeff

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-10 09:25 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2016-10-10 10:18 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fc989fc6e773ccfb4d9ade0f466a3c5c2820bfdc
Log: Fix #73279: Integer overflow in gdImageScaleBilinearPalette()
 [2016-10-10 10:18 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fc989fc6e773ccfb4d9ade0f466a3c5c2820bfdc
Log: Fix #73279: Integer overflow in gdImageScaleBilinearPalette()
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 06:01:30 2024 UTC