php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

Patch fix-74435-php-7.0 for GD related Bug #74435

Patch version 2017-06-20 14:47 UTC

Return to Bug #74435 | Download this patch
Patch Revisions:

Developer: cmb@php.net

From 5e11807c1e0a9b33228e59aa669207d47916cbbc Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 20 Jun 2017 16:45:42 +0200
Subject: [PATCH] Fix #74435: Buffer over-read into uninitialized memory

The stack allocated color map buffers were not zeroed before usage, and
so undefined palette indexes could cause information leakage.
---
 ext/gd/libgd/gd_gif_in.c   |   3 +++
 ext/gd/tests/bug74435.gif  | Bin 0 -> 11464 bytes
 ext/gd/tests/bug74435.phpt |  27 +++++++++++++++++++++++++++
 3 files changed, 30 insertions(+)
 create mode 100644 ext/gd/tests/bug74435.gif
 create mode 100644 ext/gd/tests/bug74435.phpt

diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
index 74b7493..76ba152 100644
--- a/ext/gd/libgd/gd_gif_in.c
+++ b/ext/gd/libgd/gd_gif_in.c
@@ -147,6 +147,9 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */
 	int haveGlobalColormap;
 	gdImagePtr im = 0;
 
+	memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
+	memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
+
 	/*1.4//imageNumber = 1; */
 	if (! ReadOK(fd,buf,6)) {
 		return 0;
diff --git a/ext/gd/tests/bug74435.gif b/ext/gd/tests/bug74435.gif
new file mode 100644
index 0000000000000000000000000000000000000000..92fbb7ff20d577a87e9f107e87ae4dfd5f7e069c
GIT binary patch
literal 11464
zcmV;(EH~3fNk%w1VE_RD0e}Di{{R5~001li000000RRC22>$^82^>hU;6Hx|6DnNj
zub;z*5F_^EN3o*Ci~RO!+{m%xK7AlViX5pgpUIObQ|80RvZc$H`0mM^NwelXdpL9I
z+-a|#&!0ep)}u$XsL`YJ<|$puwCOx~P@_tnDleYZt5~zfgU7Y2*RSvliXF(XY(j}>
zA7Wfv(WBdqB;$ruN%thoyDe?%oyoIrPN9H*A{|`Rso|wm6Gzp`_$t`PUB`|!Yc_3K
zwrt<Nl`FSyUA%br?)B?8aA3lO4<A;nxN&31kR^+yT-GvL%xg8f<s8>DUC?($>m}XS
zG+@+&RU2lV*fnF=k7XOA&Cs?)+!%Fx<W17IO5iYs+y5la)3{LNNR>NfPSv?q=wPK6
zq`uI4MC=!}cjP|OdrI&xiB}VOJDC?0dPk|(6nj&-mlb?p$wv@<3fTt{eirG+5q~22
zhZ2A;2}l!xIvEHQf<`IG6oXPZh!uohNk|rj2wA8Wh7@TC7l$BuXcveqiO3g;IGHFI
zibSc17>iK3=opM#$tVzwHQG24jv49r5sxMLxDt>t33(HdJsCL^l1VA~6q8jsxfPUQ
zNl9fxR$`f@j$C%>BbZ?dNoJWwqM4?WY_{nnoN>xHr<GUYsO6SCdif=gVvb3qnP(!Y
z=9)~p`6iT79z-Rhc0QV?q<mKTC#HgKTBxUphX1-~omiU6C8}VmN+zply2>W3aLPI=
zt&VDWs+XyXxvH71s`;v$vC28DjinlUE3&yNyDPK3I{PcM!AeUbskK@gDYleqdnvb?
zdfO?uP`)GYy!6)ljyw3~tM9(<wBzr;00-O-I|LVO@WJe?qwvBEH@uEI5JxQW#OkDD
z@x>TtoDMo1ckJ=U=$s?+$RwA1jyWi&tn$j{l;iTtFvnaDIW*U7^UdUpqw~%@_dJd`
zKnE@K(Bgz+^wCHs9S%55H|_M(;Mgnmy!=+3ufSOUi}2P3JM8ts6o(zL#$;a%^4T4m
ztoFz(x1F-gaKDW6+%@}b_s&G;9kkMXAO8*Y-%U?FwbfQ<oi*27fBm)CVwYVu+Gwx6
zw%cyU9XH){-+i~<diUKo;D8G*HQ`kojy2+2EABPpVLMJX<Y!B+Hsx(w4maj=Yi>8^
zd3(+`=zoiDFX{Z6E->l{tL`xC6uYi5>>$f-GVLteE;H^p>+Un}MEkBZ@K6h1FY)^t
zA29L<E8j5l6FZ+V^dC!KGW9E4A2aqhYu_{XLwlbz_)ilby~w98^8pNf22&ry*e5af
zVGMpAlOM_Gr!xD&41YG$AJ6zFH2)zDfKC%2)d+|$18NO{1XCc`7zi;3nhk;+lOWqD
zh%yVx4TCh(Al^6#G!Oa>giI5my#Gj8LK6-Qg$YyP!&q1`7j6uOA(P?BXxK6v&J2e+
z)8Wr}STr9l4Tw<_A`$y#L?k9rg-mRs3!xZA8B(!|HpF5Ub;!jo`Vfp^6yX?+ctjK`
zafvK+;uB#g#VOLzidV#;7PrVlFMbh-LcA9d`Dn&Jrcsb=EaV#zDaS?D(UEwJ<Q~h2
zL`yOelTg$o6*-ATPjV5IU=-yfN$E!=Uebw~l;S3>*hwvZ(u<)K<19^BNn4&0m#Ng{
zDtXyTU%nEUu@oi=DOpNm1`?TsROTU>sYquw5}H8#hB(Jb&T@Xk8|X}@I@jrqZn*QE
z@Qi0SxIxc)+Vh^=*oHp$$^XxOZbKUY4X8i|s*P+I^q>e$Xg09H(1tqnq1d>FL?=qo
zieAGS7|p0gH)@S)c=V$n4QVx~LDG_%^rY07hDuk;(w0s`8ZeEiOlK;MXxQ|oIL&D^
zpuy9g`t+yJFsD$*$<CstQ=UkDCq9>2Pk%afp9GC+Kov^WgF^JG4YjCNC(6;TW>lnL
z{U}PuT2hyqb)_^-YfN>@)|&$Ltvwy;P>pKTq$ZWAOnvH8r7G2`Ru!vQ-Rf4o>eaA@
zm8@hv>si&R*0#14u5gvBQ0ZD!yCM~@OVz7W`5INfQWdaQ6|7bX+f~DY6|rMgtXUbG
zR>!gxvTv2FIVsCd%m2y~v-s4kKRHWK&ngtO5EZRONy|~wiWIddRjo@|OH<eC6t+N>
zZ8>SXPTR&4xA)X-KY2S)-zF5e4;5}jiMvtbh7`FcRc=d}J5%T86uLi^E;*^IPV2%G
zyY|#BKe;PV?;;eu4izs&$*WQGf)u?bRWD1~D^vI46uv%{FHz}>PWvhqzx32ERQU@~
z|5_Em3>7d}35-z#ixt5nRWMo^3{wZY6~a7~usA7PVGGX_!}-+kKRH}b4=)tN5f$-8
zN!(Erj}*lzRq;z%TvHeC6vjc7F^$`4V;tvL!#wV>hk+bq5fiz{CPs3SRm|ijyBNw*
zmhhBqd}9pjc>l*7_VJHFEaV}R*vLmlv67d}VkbWt#xg!9joEDFH)mPST(0w%@hs*&
zm)Xx~4)mI<jAKLd7|}phG?5vNWJfa@(omN4pegNU9Ut1qi5BvrjofG@KibKWmhz}A
zTxe5Y8r7Lr^`=?fX;*(5)}fX)g$Z40TgMsKbk_Bqd97z(_ZiqQeulKCP3>ww!x`Al
zwzjwJjAnTI+u#m&Gnhf{a+~|y%vgrH*Uj#BFGCsdj<>w$t&C*Y``-A@cQTN{?|%FH
z-^e(Izz0t7f*->e2v4}e7jBGVIQ-!dk9aYNLGg-P{NltIhQ>F}@s1Be7$6V1$VV=W
zV3_>mDF07+Fo41Gmb?7rz_7N=r_Jq}XItDj|2DdJUT$~$eBJa8dc5^b^m_yR=>0ah
z(g)7)rYBtDP=7ear(SW7TYcjs&w9vJ&h?YS{Oc{B`OIx@^PK0L=RE)U&xJ1Zq8A<M
zNMHKWo$mCgN1f_azxvg+uJx{W9qeEiyUfX6bF<?d?K@Yy&)FVyw-X)iN0+<O>E3j^
zLmlr^*SppEo^`)-9q?ZlytN6>ZNrNj@#t2(yBSY!$LkyN0GGVMDbH}rOC0kU*SyC$
zPjb(z9P}_3eYHuyZPSMv_2*W7yIDVP*XJAd|CW8hX}@sWM;!MT*L}x%KXTuv9QZF6
zKL53euWjRl8~Nr|KD(JOZ|CD1`u>(a!Ktrs>q8v-7S}$<xi50>qa6G$Cw??Xe%NMy
zI){GbrhY)je(>ggMhAcVCVxyve+XxPQip#Or+-+-e<0_7UI&0ICxFsMfCXrP<A#9g
zrhxCpfc55p`v!plCxHh?femMY6NiBrr-2{GfhFgGD+huxCxRr{Z6=6<DX4%f*n$oS
zgE1(9G+2Wch=Vz(fjroQ9tea%D1bv~f+vW8D!76S=z=c@figIQ6ljAth=Dq|gB<9C
zKL~;%cx@!eg+};=NhpR)ScXrChElkORp^FT7>8R}geYi-EQp6NsE0JjhdAhmJpTxY
zKq!cFNQhpjf_LbGc_@Q>XoG#IgMa9QfhdHNXn=KSiHC@ZiKvN-$cc^UiH``1ktm7;
zNQZ@JieZR~WT=W~$ck#{ifsssAovTyIE=(tjKAOu$e4`ExQxEg3(okA&=`%qzzft^
zjn;ULys!(}xQ*P{jk}-=;24hLIF7oI3+8x^=$MYVfD7!{j_&x5xNr;dIFIyLkGEh8
z_?VCSxR16_3;y_z02z?AKnny}kOp~>v@i<_xsVLmkh35Q5E+pYIgzpu3l@2i7@3i=
z01F)1kskSxuwaZLIgHF$lF2BIDEW-oxRTZAjV`&3<QS9TsE#ywj_`Ps?f+<xIysO0
z*pvAvkU;s52sxAm>5xXbkQAAe5vh?(d66LblpQ&eBWaQ*nUX2Vk}Ua>FDa8US(7!1
zlQ_APJL!`?8I(aultg)yN2!!b*_2HQl~5^_B1x4cX_Y96l`E;0F3FWK>6J7ImNzMu
zI!Ts2X_i2VmP4tQM#+{*>6T0hmrp5|#z>dUXqVE6m)NM6-pH5a=$GmUnD8i=_DGog
zXqW<tm<Xwu4#}7l>6jV`nII{d#YmaUXqnN7nb)Y9-N>2a=$YvVn(ru@^+=lgXqo|u
zng^+x4au4l>6#e{n;$8g#7LXUXq(W8o7SkC+{l~a=$q&WobD)`^#4el`e>X0iJS(h
zoD9jF66u^637sA(og_(}$Y`A^iJjD_oiNFr;OLz;37+gIo;*pO_-LL&iJk<ho=C}_
z5b2&y37;G(pTbC=^=Y5eh@aW0pWn!z<>;U52%zyOp!Z0i{b-;AiJ%FopbyEQ73rWG
z385h=p%mJT7K))6s-GO%q5cV?Au6CGTA~JuqA9ANEZU+D3ZpS9pEGKq7mA-6x}p5(
zp&tsMB08c3YN98Kpenke4C<mU3ZW8uj1<bGHu|JFDy2MHr9X<LLb|0z>ZM2;rb}9*
z7;2^*il!i{rX<RyDC(vx3a2nCr(;T|PO712>Y-^WqHAiRZU3sGZ|b6PDx-sHpJi&O
zcZ#Tas;GO)sD0|Fe+sFADyj5IrgdtmQHrTls;O7Xsaoo(T?(oY`U<i-tF&6Huiy%}
znyb3HtFF)rzWS@c8mz6r3dCBh#(J!*unNk$tjyZ1tDp+d8m-bgt*Vd;)_SejnysmT
z3f$VQ-ukVma0=o&uH;&-r(g=`ny%`)uBK25?)t9q8n2~53iMj9_Ij_RFbev*ul(At
zqaX?Z8?XX9u%ZwO279mwo3Nn(3Jlw@4*Rg6V5<^4tGrsVxhkv}`>V*hvBm1F9=oj6
z8nV%<tt5M`;Ciy%YOX3fuI$>f=_;=<`>yypv-Rq)HvhY?1e>z~tFSzKun_yR4Lh+D
zYq1uau^G#;9Q&~!E3zV6vL%bMD7&&N>#{BzvoTAvG<&l*tFt=Wvpoy6Kr6HoOSBbh
zv>1!D8>_S)%d{cuv?L3)Co8ooOSLU)wJ?jdGpn^W%e6V{wLA;9KP$GjO18Xew!(_G
z$f~x^%C^+%w%Q7};3~J~O1JE4xAKa&_^P-5%C`jTw+aim5G%N~O1QgfxWS6J$Evu^
z%DB_&xY-K1-zvG~O1bN5x$%m*_o})5%DDsUxd{up4=cK~O1ipgy1<IM#;Ur^%DU3(
zy4VW4-YUD~O1tW6yYPy;_Nu%5%DV#Vy9f)s4*x5>6id9gYP=eYyu_-!Aj`ba>bxck
zz1%9jEK9xUYP~Xxz4WTRILo~N>%Be;z6>kAvP!<?YreyZzR9Y-&&s~l>b~0wzu_vs
z=SsirYQOV}zxk@a|H{7w>%R*Nz!59J1l+3zjKB%3z6{*J?hC;YEWZ?7!S;*68LYn?
z+`;|}!XYfaBW%D2jJ^uI!0hY54-CH&Ji+v9!556b8oa^$>%kukzyf@$1kA%G{KF|M
z#4KFIFO0-8yu>x^#5f$qJ6ysDY{d+W#SpB;6wJjK?8O`m#vm-lQ%uG_tiV_7z*#K8
zTWrBytifOG!C@@Ib8Nm<Y{zGe$7!s`YyZs0ZS2Qy49IaT$mC1KWo*bnjL1Z+$Vbe`
zO6<r@49Nie38Fm8q+H6M;0dUl%BsA|p3n)d{K~K#%bmapv|P)!e9N4$3A((?yxhy1
zpb5Yn%)&g(nve;`e9Xw4%$a}*%-qb*{LGke3DP{x)LhM%U<ufq&Dy-pmQV@a{LSDT
z&Xqt3<Xq0?e9n|G3F^Gg?A*?iAPMjs&+<Iak`M{@e9!ot&yfHL{M^s}{LheJ$^t#g
ztX$BkEXxS}%DBAHwd~6dz01TL(ZQ_D6n)Ile9_Hp%^E$;+}zRGEY2YP&FDPR<?PNT
zz0UNU(($a%EPc-a{nGtB&;xDI2LGMV3C++9{m>6B(Gp$J6^+ptz0n)((H<SrAx+XG
zebOhb(kk83Ee+E!Ez<%`(*<qQ2#wPVt<w(8(-G~{6b;lDEz}xK)E#ZqAdS=`t<)yX
z)G6)MEDhB!E!Cz>)vRpQvW(TZtku5E)x_-8$_&=fEY{Xc*4%8?;*8eltk&+#*7WSw
z`V7|qE!U+?*Q;#Tv5eQZtk=EF*Td}B$qd-fEZEgd*xPK_;f&bltk~_$*z@ez`3%|r
zEZL+?*{W>Wu#DNZtl7NG*~0AE$PC)fEZWpe+S+W|;EdYltlI3%+Vbq$_zc_rEZYQ4
z+o){Y3XR*etlJRH+raGG7XJ<0%q-j-P2AXQ+#-$K<gDB%&D`+p+%65>{4Cv~Ox@LO
z-Ls6{xvbs4%-zN8-OCK#(JbEAOy1pW-s6nk>8#%G%-;3v-un#S0WIJ3-OBcj-}$ZG
z{N3N)4d4MT-UMFY=8fP9uHFpZ;O-6K5iZ>mZr}Hf-TJ-X-0k204c-Di;N)%K2aetf
zzToWb;13Sp@_owm&EgjR;u$XE9A4uej^iS}<0bCnC?4c1Ug7v{<ou1~0IuW&&g2O0
z<O~kw5H96IPUSAH-$(A>NiN_^Zs1L>;7{)0Q7++QZrw$0=2wp9S+3?=&gNb2=3fry
zVJ_#?P2^Q>=P{1wH2<#WH_qoe?&m!Y=<xjrl0NB_Ug?kE2$-Jfn!f3d&<LLX>7X9!
zjlc+`Uh1ZP>Wr`ms=n&1-s+2>2(TXOvOepIkO;PZ>$slliGT>a-s`^p>xgg&!anT8
zUhIcp2*{r7%D(J|PzcWc?9d+Vg+K_@UhUR??SwE0+P>}F-tB`R2;d&>;y&(z5D4ae
z?&zNGfdB~X-tO-H?tozF@;>RDUhkPM>iGWYsJ`!|?&|)&>a-s4v99X`f9t@0@V##A
z3P0@3-tfsT?GXR$*go;q?(G)8?c|>E;jZo+f9~-9@$EkE^KS3<p6~h2@BIGn|1R(X
zU+@Kw@Cd)~3;*x%4j=ImPw^Cg@fWZ08sG695Aq-{^72md^=|U`j`I7i^8U{90q^nz
z5Az2v^9oP%4R7-hkMk3+^A^wZ8SnEP5A+`|^p;NaoNn}@j`XOm^sdhIwC?n}4)wq;
z^~O&1%x?A4j`i5C_1@0)<nHzA4)*Xa_LWZdn{M`@j`pXn_N~tLv+nk}4)?z<_r*^4
z%Wn74j`!ED_ubC-<L>wA4*2gb_>@lgnr`@@j`*go_^i(OvhMh}4*9+=`NU57%5M44
zj``NE`P|O=;_mtA4*Kpc`t(lvm~Q&|j{2mo`T)=Ru<rT>5Bt0>`wUO}$Zq=*kNecF
z`xwvr;Q#LX9uNHNF8q>C{KaqlqmKNkuKcgg{I%}<yAJ)qF8#+&{mpLu(~kYwuKnN6
z{pAi2fdmdDSP;-bgb5V_deqS2Lx_(YO{7@SqN7F`HE!hCh|x!oAw@D;RMO;0l#3Lt
zWZBZCqC_!e&ZL<L(M_B=bs{>{)8|j1hYSrRTGXhaLP?b_Wm<^PQ>am;5*k$1>Q$_R
z1a0No)vKU_VGS-MdobczhZogS?ATW0NVp(V&NcbcF3XyEW$xsQGw5HRM+FmYT3G2+
z#89&?w))jESFw=;l`V@F?b@|&-Nubem+sxWdiD103mEX=!G;YdPRy9`<HwT4QYLHp
zEdOS;n%i=Q>v=9{yQ1@w=4<*dYQd@tvqtQCF>J@O!_r=8J0k9jx;ye7={qIxm%?ij
z-)TH3@}tU|GN0-^EA+3@$5KaV9U^v%+BtF;=^Z6_m&BuqJe|w~3O%FLV~Rbg+`|e!
zujC_$zJ%<12)~N-+larA{5uK2mIR!Mz?=;H3BjTiT#CV{9J~s`t|T0YLWKUX@kShT
z{KF3(d-U-~Kl%`INFs~ugAXK=RB}l^_Hgn^D5Km%4=Ss)@=87O&~i&IyUYU*FvApc
zOg!!|^Gr0;yu%JQ+jR3yJL-^gPCDzXgAP3N)N@Zd=J4}RKm(ma4nhkx^iVnCQ2%sM
zMjMR-4oD-FbW%8UwDd+GGwsnxPKRXj(<G%7^+_yCt<p<Ww<L4bFx7PROgLk0(@t9F
z<nz`%1=aOWM0+jNQD7IPbl6BQy;M_8JM9!yP)8lrR8vz;l~q<>eN|RjYpoSmTzB2o
zS6_n-mRMqqwG`P*mF1M#Pn{JN+ES%OmD*LUbrsuKwWXEYTfNm4++M{6mfT^@)e&7F
z)ish`Cf$`1UM%JHl3p_HRTE!0^|g~<KK&IGU_=FWlwe8?&Jp1s6)uwDB^{0u;wvTY
zlHxHfP7~udHLjE6Jv|N-<U>Vnl;lZG#t~&7RVI>UC0&LRW-Ddpl4db&M*kCMH+80y
zXFYue6lg<*W|U}2jm8vd9+mc#X(XK{6>2J_R+VZnt%enAHnp~uYdpQ?6>LJq7M5&C
z&9)KkwADV6?Izux67DSJ{*vx8?Oqe_IQ71h?>_w=6!1g^f0Xb_4M#jk#TjqhZO9{+
zoAS!-#yoSqIq%$W&_frT^wP~fUGc@)cKmU;C7+yb%P+@U^UeA8{ByuXADwW+cSIa`
z)rW80c-WJloq5}z&s}=ntN%T9#<ho>d&<4X9DL5j2c3M<&A%Rf;T_*z^6oAFUi0vI
zZhWFEpXu(Ww(RL|ef(>m|K10{_z7@+1gxI{(T2VBDX@49M4khe2me9mNicd8B-|TJ
zctRAW@C|NYVGCXOLN~NQhBKsL4cov59Oh7mJ7mKeeE35k25}8)AYu`Xctka%L5WLb
zViVJV1}H{Ric>_x8LW6kEN1ZxX5eBMz4%2lltGMRBx4!NKn66XQH^UP!x-H7MmWZC
z3}T>T9qo8WF@!;nd*ovu!vF?A22zlN1cM3<c|sT_vV}He<P3TE$Q%k$l0QUZC5z}p
zOfHd%n~b6sJ$XeihO&!hB;^>{c*-=&QI&7RV=L?EM_BHWkh2WrArGlYMK-dLkc8wU
zCuvDbW-^nU<m4wmDN0e6vXrPq<tkU{N>|1*mb9d$Ee(mwME~lNk-U7QFC_`gN(vK`
z#N4DYJ&DXvDwCAVJf$;L3C&hY6PDDRr8QNEO&Ds^hTP<#H-!jJB#P6C<fNiGwTMnI
zs?&_@WTQLf2v0o9(~tBdq&-uJ&ll>mhWy;2KZ6L+BMP*M1f8Nmvxv|yDzuCYU86(e
z2+=!Aw2u@Wq(xDPQ5R~Ih8)$QM}Y`ZBZ`!XB$c8`v4~PHs+5c@RijJc2va-Cl#etO
zq)ictQx@vfkvzqrPbmphA_`TLM1`VJL5Wl@D%F%sMWa($2~|2uRhCo*q*YCb)vRju
zhFtBTSBD7JB#QNkWUZoEw}{p-s`ZR)ZKGS~2-iHy_5Y7_Eu>xX8biJEwXa?UY+%Jo
z*ut6>v58eHV;k#M$VOJKl&!2)FRRzRa@DVY1*>2OOIE`k7Oje1EL$D>Shz}dvUIiU
z3h@eC&Ca&7wgqi&N6TB&{x-G3Wo>a^n_0dp7qHAFtaA|yUB*fmvec!lb&rc(+4^<4
zf^Dv0pR3sDI(E8}t*&LytJUPHcf0KEu6w@=-|)(Jy!0)veX)w%?CQ6+{Kc(*cMD+O
z3OKj~rt23hd|?b{_zPa(aECqoVJ~z+#3LqgiMzlB6sK6lE9Sx$T>N4f$9M}`pmB|D
zd}A$SLB~7hagVcr1t14m$V0}$6^wjjBq#X_R{vmflb!rzD^x+sQ>Jp2t3U-TXIaZz
zrot4w{ADnQc?wb>bD7P2W+_BL&1+_Jo1*{)ILBGebB2P3?R;Sn=effs=JSYI{O1(Q
zSkN!VaiMGMV?^(m$cqlLk{x|yC`Y=<R;KinxqRs?i&@iOMsugj>}F7}na-n*^PTUk
zXFd11&wvK>pa*SeLnk`XjArzsA1!G~SGv-e#`LB)?P*VkI@F{lwW;ll>O8BO&#eBl
zs|5|~LdzP_v|hBW9gXWq>zdNMzO=734eU+}8`Q)ewXrpfY!EBk#LQ-~vt<lz9825B
z)F!gEm5gmDYun1)=CZfN3~n@w+s)*rv;Vm>jP4JsyTt5XvAbgo?;Fdz$Mhbuy_1aZ
zC+oY){NA#^!wm2<3%tz)pR>U+jBpPtoWu-QvBO~uaT`mV#}pT`#gUA0Cu^L_9M`hP
z!3=UUi=53Qm$S+7jB*aE+|MjWvC9b!a~jKB(KH9L%^{6*ChOeNJjb%nISq6&3tiMi
zhqKWwjP#@{{lrXfvD0S^^&Ct6$5bz})t8L*C~N)7T<@~i#|-u~i~Y@Hud~_F9%8k#
zz3onid)%c?_qtmh?|Iic-}~-$zz1IJgfG0&53lyMGu`cPhq~P7PIbHA9qW4EJJ<dG
zcd!e7@MJgphS3gs#gD%6riXm$C;!iS%fCMJvgds5Kc9HE>mKgBr@Qa*4t%}~AMnH{
zyzy_3e9^mo_j2#O-G8t5;QM{}f-k<|udnpnYk&FNZ@%}R5B}(jfBNLFzWI@k`{b*?
z^z28y`&SQt*OR~4qd&5H0s}li1WdpuZ~_KwKnHw4Cujl*oInb!z$Rb<49q|c+(0H+
z0uTH^5DdX3Py!MxK@&VdB}f7lTtOCW!6ZNe7>q#~oIxZw0vo(R9L&KZFajRzK_C1<
zBPaqP96};2!Xh97BuqjjTtXrk0w;VzD2&1(5CST!LMyyNAqWC3+(Itw!XN+wFbqR6
z977;bKr=i*2u#BUv_LkTK>rSW!weKbIs8Brtiuv?K|EYR8r;Je)ImSIK_Cpo9yCHi
z96}~M#3YnLMSMamY{V+`LP*>~GMvOPJi{|oLp5x}HiSbsoWnV^Lp#jFJmf<@{KG#K
zL_sXXLPSJFT*O6mL`RIoNTftcv_vz+#5B}IHsr)N^h7xX#X1y4JS4?EG(|r|#XwX=
zLS)55bVWsk#YU7xNTkI{v_%EPMF`YI3*<!(^hFT_MidlA7bHd+G)5gnMj%v1BV<M<
zbVezJMl6&@FQi5?w8jL)#s}2K3gpHO^u`bb#}gFC79__RG{+o7#~)P3B4o!UbjK)!
z$19Y_E~LjXv_}NQNB;-ZM+)Re4fID41V|GUNEReW88k>7L`WZ0NFroNC3HwAgh(rt
zNG_yEF|<fD#7G9zNH^q24D?7k1W6JUNj)S<7&J*hL`fc0Nke2wBy>qegh?utNlBzh
zFtkYn#L1l0$qVGk4)n<p1j-Z?$`>Tc8Z^osM9Lsk$|GdTCUnXvgvu<G$}gnKGPFvp
zj6kjA%C7WDunbF~B+IfiO0-N%rDV&tbV|64OR1#Gy0po=)XJ^oNw54$pcKooBucY9
zOQclGwPZ@Sd`qa5%ekaVt6V^=giO7h%)Yctz|73S<V?f-%)}H;#w^Xp%uB9RO|WE5
zvUE+fgiW@TP5-#0O}ezr)5J~5^vcx~%hoi@*Hp{cbj#V4%i6Td<J8I2RL<RG&fav+
z--OQKl+NL#&f>IAoJ7ss)XvJ}PR#Vq%>+-+6wlBkPpbR@`@B#5%+DY20siby|NKuM
z=m7y8Py#K`9^e54O;810P#)L;2YpZojnEy?0Sc{93%yVs$N>%AP!8?T9KZn(4N(yt
zQ5?7d6FpHBP0<^$0Tyjh7kyD1r~w(BQ5vn$8lV9j%~2iQQ5u*5AN^4v4bmBq0U|9@
zBRx_Xhyf*CQYLNE7=QsNjZ!I{QW(%rE4@zu&C>ofP%a%%2K~|ml~6H#Pz){83iVJl
z-B1!;)Bg}vQ8ztN7>&~wwNW~qQ69b192HVM{ZS<C(;{_JKwVNQ9n>hj(ks<cE$z}S
z1ye8`(=jzuGfmSpWm7hN(>Ik<Ijz$=#Zx@p(>?W5KMmACB~(H+R4YZ)ELBu4Wz;Wq
zR569rGL=*`rPMXGR5!)cIMq}-<<vX%R6PaNJ{46!CDlPSRsBR&09923WmN`sRSAVv
z43$+6rBxEORTafm7}Zr9<y9W_RUrjdBo$UCB~~gm*8D`)|5VljW!43C)(C~x3zgOm
zrPdL())d9o7uD7p<<=eb)*uDfBNf*sCD$o6SNud*|5R53Wmg4tR|thy3zb(6rB@NP
zSN{~nR~OY+8s%3V^;aMTSR)l!CM8%YHCQY~SpHO4FJ)K+byzZmSPGR`HKkY(wOBaC
zSQgb-JLOm$^;kXySt1o#K_yuzHCg*a*_2h;17+C;b=e7p*$kE052e`>wb>QL*%;N?
z8|B#^_1Pf>+9Va)Cnee{HCm(%P^D$srgd4Ujar$d+N!l#tj$`T<=U?GS+EUTp(We0
zHQBRO+NEV#r+r$OmD;JLS*yKToYmT`<yo)&TA&r%u_aog-A|+iT(uqCwl!S1P29O<
zT)TbTyp>$Ot=zv&Tc*`qsO4O$^<1n4U9J^fuq9oxHQmcaUBPwQ&6V2Dwc5|s+W*k?
z+R+u;(ly)LRoTqd-PPsY*7e=j1>V>d-q|JI+BII3#oW|Y-oj;G#C6`qg<i*%-pHk1
zqJ07LJzw-q-xqKJ_HAGHeP0)70r{O@`mNs<U;+HiU;W)*7FYrQ{a*kM;1y5-0xn<!
zK429{0R>)Q25#UKKmiDjU<saJ6gUA3zF-W_;1e(b4(?zN{$LX*0TCWy5-#BqAORFk
zVHI9s5*Ps&eqk7n;Smr48m?g*zF`pv0Uh399`4}~00AHlVj&)45KvzuK417v;`X&)
zCZ1pZed7ETU@87z1g_!&c3>=CU<%&i2-aXPzF-gz;|?}qG9F<TKI0UYVgEILVH|Gb
z8unp0-eDr1;~+lbBUWN1ZsI0}Vkn;CDYjxO&f+ZQVlMvTFBW4lF5@yrV>DjlHFje+
zj^j9{V>-5DBgW$-)?+5-<0tlGDF);!7Gx|Y<SjO2FGl1rR%9|}<TG|;HHPFimSi}l
z<T<uv^~GfP)nxnSWd8MJ0S09R7G(z}WePTB4Mt@UR%H`rWfpd28HQyXmSrENWg@oa
z^u^`()#du-<^A>L00!m*7Ul*f<_R|D3`XV;R^}3B<`s747>4E>mgXL&<{`Fb^u=cP
z)n@wTX8rYM00w6R7H0+~X9+fE3`S=UR%a4sXBBp57=~vXmS-NOXa6C#XC%gF_SI)6
z=4br%XDSA00v2d3CTIvYXfQ@-4pwM0W@r?4Xf}pu8kT4|rf49xX!FJBjMnJ;<>>zP
z=m7@l1QzKBCg}<`=?zBd5LW3EX6Y7o=^2LU9G2-Hrs*QKX`GH<o#yGD_Gq9EYLO=D
zqBd!yPHL5A>ZW#SsE%rxrs}G;=&RQ0o#tqt{%MdF>Y*lSqdsbsR_di@X{UZ_n3n3P
zrfHjAUz~<(t)A<ywrjA?>#^o*v;OO}7HqaI?6=Npo>pw2W^AH%Y@~*4rj~4|rfjOV
z?8C-vx%TPB7V5?}>c>{<$ad<<mg>s3>eJTf#8&OiX6?>)?f=h)?a-F((WdRvwrz|?
z?9A5fy5?=X_U*j}Zod}pz$R{*{s8N~ZtTwP5AXo)?r!h?ZV%`H@g8sTF7FQD0Q638
z^<Hld*Z}u_Z}^Vy4bTAku5bIkZw<%*{oZf>?(Yo1000kg0UvM-xBvq`a0E~A3$OqN
zZ*T{Ha0{pa37>EZukZ?>01VG?4c~AIm;ev|a1ami36KC1FL4t;aS4b36<=`{Z}A9#
z02q&P8J}?o&~6*QZt%|W?lx~8A8+>l@${B&A%AcDF7o>JZzSJu0$=g~S8yjka0rj`
z2Dfl3pKuPp@(dSoE&p&7@A49NaWG$T8Xxl*zwsN_asM6f@g4_qARqD}H*zCS@+4<+
zCV%oLmvSku@+!x2EZ_1i_i`@}^DrlKGB<M@NAnz4a~@~&A9r&hhw~zrb0nwpCAV`Y
z$MY!Hb1LWaEBA9P2lOr%bTB9MF*kJWMs)C2bn|9(_I7mnhIIUvbpNJw0=IMp$8-qS
zbPMNn4)=5s2Xzz|br&af8aMUqM)mJj_3~!*^>+36hV}cF_5P;y0k`!8$Mpx-^$O?p
z4fpjB2lf*e_7*4h88>$9Mt1L3cJgL+^>%jnhIadwcK)Vz0k?Jp$94zTb_(Zq4fl2s
z2X_+}cNQmi88>$vM|bX4cOPeW^mcb5hj;pxcmE})cL29{D93jO*LN%DcMSJ;E(drL
z7kDuzco;W$>qhv5SNQX0`1W@A`G)xXmiYgs_yV{11;_XZ*Z2$P_zw5@5eNAc7x@<_
z`5HHQln-x}XZe<Qc$klQiKqFRw|Jb-d5!1!p7(g54|<U&`l2`ZqgVNrXLy%?d5D+!
znWuQ0zj=(;`JLx@pZ|G~7y6+md6VC6lm~mIAN!^^d#F$Qsb_nufBUSLd#<nhuTOfG
z*L#@fdz$xqoCkcK7kr>6e4;n}yGMMnclo`S`M$ULzt{P|_xZsW`ocH*%UAfk*Zjrj
z{KohE#|Qn$7yZd6{mM6egva~DSN*bQegCv~{k4aEx0n66r+t!t0OLP?<WK$wZ~*3S
ze&>IF2WSB4pML7E{sv$G?9YDf-+l&I0Pp{P@DKk5Pyq5TfAc?o1xNt(Uw`&*{{%n)
z_>X`2pML~60Q<jx{LlXbFaZ7s2m=BK5*%3IAi{(S3lM1N@F7G3113_eXmNmmj2bs`
z6cFGe$dDof04QnlBuW4eR<dmA@_~bxGH23s(BLM{oH`pY=;`w(PzDQz5-n<Ufr6w;
zmoin5;3?FoQWGGkYV|5s1P8Wq?dtVF!LS7vl0_Kttiy|HDRykDaU@)jDd(DeX_sZq
zyfSz4#ToRk&!d8gHZ81lDq^Tv7yn!R>X@t8$Og)mMT>UrTDNZF#-&U5?p?il`}PG4
zc<^Auh7%`d%=qzR$zmy!wR{${TFq@a!}UBDv|Z78N%J-R7qwv3g;^tZy%@G**<oof
zv>g%mMco~FkMx}q_)Fn6iSINX6!}r*O_@)1o)!96>0_xUv<?xwMeQ89i}a2Xyi4NI
zM4nFO0fnAX>M_NhRPJE~pI7n`L|=XOrG+0``n|=UT>jMsAYKCQMW9~>28JME3LeIw
zVh%P2A!HH?M4?$0HiTh@8hXUxM;?9%B1|I2L}H013WefODz3;PRW4QqV~jG=c#w@Z
z;)s!sJM!pbNkFb7<d8)2WT)hjNGh2WlTSJMB$QyuIN6j{N_1tGT5`yxN?w9#lbB?d
ziQ<_~rMae7ZN3R7jdEUzrH(xI$fcJ-3MuB8Mk1NynQ1oZWSeeE8E2J?*6Aookm?C0
zrG8$DRHlQj+3BHEG88JES(1upq<f}H=Bj~eN+_&v%BpCsjXH|!sgw4}>!rTB%Bi8k
if@-6vwjOILkh(5wX|t^|32d~VCQ2)gqh9M{Kma>sw7>2E

literal 0
HcmV?d00001

diff --git a/ext/gd/tests/bug74435.phpt b/ext/gd/tests/bug74435.phpt
new file mode 100644
index 0000000..9d11eb3
--- /dev/null
+++ b/ext/gd/tests/bug74435.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #74435 (Buffer over-read into uninitialized memory)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$im = imagecreatefromgif(__DIR__ . DIRECTORY_SEPARATOR . 'bug74435.gif');
+var_dump($im);
+$width = imagesx($im);
+$height = imagesy($im);
+for ($i = 0; $i < $width; $i += 16) {
+    for ($j = 0; $j < $height; $j += 16) {
+        if (($index = imagecolorat($im, $i, $j)) >= 2) {
+            list($red, $green, $blue, $alpha) = array_values(imagecolorsforindex($im, $index));
+            if ($red !== 0 || $green !== 0 || $blue !== 0 || $alpha !== 0) {
+                echo "unexpected color at ($i, $j)\n";
+            }
+        }
+    }
+}
+?>
+===DONE===
+--EXPECTF--
+resource(%d) of type (gd)
+===DONE===
-- 
2.10.2.windows.1

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 13:01:29 2024 UTC