PHP :: Bug #66356

Return to Bug #66356
Patch libgd-v2.patch	revision 2013-12-28 08:13 UTC by remi@php.net
Patch libgd-v1.patch	revision 2013-12-28 08:13 UTC by remi@php.net
Patch bug66356.patch	revision 2013-12-28 05:34 UTC by laruence@php.net

Patch bug66356.patch for GD related Bug #66356

Patch version 2013-12-28 05:34 UTC

Return to Bug #66356 | Download this patch
Patch Revisions:

2013-12-28 05:34 UTC [diff to current]

Developer: laruence@php.net

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 49970c1..0791809 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -4987,6 +4987,10 @@ PHP_FUNCTION(imagecrop)
 		} else {
 			rect.x = Z_LVAL_PP(tmp);
 		}
+		if (rect.x < 0) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Negative x position");
+			RETURN_FALSE;
+		}
 	} else {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Missing x position");
 		RETURN_FALSE;
@@ -5002,6 +5006,10 @@ PHP_FUNCTION(imagecrop)
 		} else {
 			rect.y = Z_LVAL_PP(tmp);
 		}
+		if (rect.y < 0) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Negative y position");
+			RETURN_FALSE;
+		}
 	} else {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Missing y position");
 		RETURN_FALSE;
@@ -5017,6 +5025,10 @@ PHP_FUNCTION(imagecrop)
 		} else {
 			rect.width = Z_LVAL_PP(tmp);
 		}
+		if (rect.width < 0) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Negative width");
+			RETURN_FALSE;
+		}
 	} else {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Missing width");
 		RETURN_FALSE;
@@ -5032,11 +5044,20 @@ PHP_FUNCTION(imagecrop)
 		} else {
 			rect.height = Z_LVAL_PP(tmp);
 		}
+		if (rect.height < 0) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Negative height");
+			RETURN_FALSE;
+		}
 	} else {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Missing height");
 		RETURN_FALSE;
 	}
 
+	if (rect.x >= gdImageSX(im) || rect.y >= gdImageSY(im)) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Posistion exceeded");
+		RETURN_FALSE;
+	}
+
 	im_crop = gdImageCrop(im, &rect);
 
 	if (im_crop == NULL) {
diff --git a/ext/gd/libgd/gd_crop.c b/ext/gd/libgd/gd_crop.c
index f0b888a..9068630 100644
--- a/ext/gd/libgd/gd_crop.c
+++ b/ext/gd/libgd/gd_crop.c
@@ -46,9 +46,15 @@ gdImagePtr gdImageCrop(gdImagePtr src, const gdRectPtr crop)
 
 	if (src->trueColor) {
 		dst = gdImageCreateTrueColor(crop->width, crop->height);
+		if (dst == NULL) {
+			return NULL;
+		}
 		gdImageSaveAlpha(dst, 1);
 	} else {
 		dst = gdImageCreate(crop->width, crop->height);
+		if (dst == NULL) {
+			return NULL;
+		}
 		gdImagePaletteCopy(dst, src);
 	}
 	dst->transparent = src->transparent;

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 23 11:01:33 2024 UTC