94 lines
3.0 KiB
Diff
94 lines
3.0 KiB
Diff
From e9ac8954be9f7d988189df44578d759ffdea3512 Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Malyshev <stas@php.net>
|
|
Date: Sat, 18 Jun 2016 21:04:33 -0700
|
|
Subject: [PATCH] Fix bug #72298 pass2_no_dither out-of-bounds access
|
|
|
|
---
|
|
ext/gd/libgd/gd_topal.c | 14 +++++++-------
|
|
ext/gd/tests/bug72298.phpt | 15 +++++++++++++++
|
|
2 files changed, 22 insertions(+), 7 deletions(-)
|
|
create mode 100644 ext/gd/tests/bug72298.phpt
|
|
|
|
diff --git a/ext/gd/libgd/gd_topal.c b/ext/gd/libgd/gd_topal.c
|
|
index b9cb928..d8dda45 100644
|
|
--- a/ext/gd/libgd/gd_topal.c
|
|
+++ b/ext/gd/libgd/gd_topal.c
|
|
@@ -43,7 +43,7 @@
|
|
* If it is not working, it's not Thomas G. Lane's fault.
|
|
*/
|
|
|
|
-/*
|
|
+/*
|
|
SETTING THIS ONE CAUSES STRIPED IMAGE
|
|
to be done: solve this
|
|
#define ORIGINAL_LIB_JPEG_REVERSE_ODD_ROWS
|
|
@@ -152,7 +152,7 @@
|
|
* color space, and repeatedly splits the "largest" remaining box until we
|
|
* have as many boxes as desired colors. Then the mean color in each
|
|
* remaining box becomes one of the possible output colors.
|
|
- *
|
|
+ *
|
|
* The second pass over the image maps each input pixel to the closest output
|
|
* color (optionally after applying a Floyd-Steinberg dithering correction).
|
|
* This mapping is logically trivial, but making it go fast enough requires
|
|
@@ -1320,16 +1320,16 @@ pass2_no_dither (j_decompress_ptr cinfo,
|
|
#else
|
|
r = gdTrueColorGetRed (*inptr);
|
|
g = gdTrueColorGetGreen (*inptr);
|
|
- /*
|
|
+ /*
|
|
2.0.24: inptr must not be incremented until after
|
|
- transparency check, if any. Thanks to "Super Pikeman."
|
|
+ transparency check, if any. Thanks to "Super Pikeman."
|
|
*/
|
|
b = gdTrueColorGetBlue (*inptr);
|
|
|
|
/* If the pixel is transparent, we assign it the palette index that
|
|
* will later be added at the end of the palette as the transparent
|
|
* index. */
|
|
- if ((oim->transparent >= 0) && (oim->transparent == *(inptr - 1)))
|
|
+ if ((oim->transparent >= 0) && (oim->transparent == *inptr))
|
|
{
|
|
*outptr++ = nim->colorsTotal;
|
|
inptr++;
|
|
@@ -1795,7 +1795,7 @@ static void gdImageTrueColorToPaletteBody (gdImagePtr oim, int dither, int color
|
|
}
|
|
} else {
|
|
nim = oim;
|
|
- }
|
|
+ }
|
|
if (!oim->trueColor)
|
|
{
|
|
/* (Almost) nothing to do! */
|
|
@@ -2004,7 +2004,7 @@ static void gdImageTrueColorToPaletteBody (gdImagePtr oim, int dither, int color
|
|
}
|
|
|
|
/* Success! Get rid of the truecolor image data. */
|
|
- if (!cimP) {
|
|
+ if (!cimP) {
|
|
oim->trueColor = 0;
|
|
/* Junk the truecolor pixels */
|
|
for (i = 0; i < oim->sy; i++)
|
|
diff --git a/ext/gd/tests/bug72298.phpt b/ext/gd/tests/bug72298.phpt
|
|
new file mode 100644
|
|
index 0000000..7fba241
|
|
--- /dev/null
|
|
+++ b/ext/gd/tests/bug72298.phpt
|
|
@@ -0,0 +1,15 @@
|
|
+--TEST--
|
|
+Bug #72298: pass2_no_dither out-of-bounds access
|
|
+--SKIPIF--
|
|
+<?php
|
|
+ if (!extension_loaded('gd')) die("skip gd extension not available\n");
|
|
+?>
|
|
+--FILE--
|
|
+<?php
|
|
+$img = imagecreatetruecolor (1 , 1);
|
|
+imagecolortransparent($img, 0);
|
|
+imagetruecolortopalette($img, false, 4);
|
|
+?>
|
|
+DONE
|
|
+--EXPECT--
|
|
+DONE
|
|
\ No newline at end of file
|
