mirror of
https://github.com/php/php-src.git
synced 2024-09-23 10:57:26 +00:00
Merge branch 'PHP-7.0'
* PHP-7.0: Fix memory leak in imagescale() Update NEWS Better fix for bug #72135 Fixed bug #72227: imagescale out-of-bounds read Fix bug #72241: get_icu_value_internal out-of-bounds read Fix bug #72135 - don't create strings with lengths outside int range set versions Add check for string overflow to all string add operations Fix bug #72114 - int/size_t confusion in fread Updated NEWS Fixed bug #71331 - Uninitialized pointer in phar_make_dirstream()
This commit is contained in:
commit
4ba0197f87
@ -932,9 +932,6 @@ static inline LineContribType *_gdContributionsCalc(unsigned int line_size, unsi
|
||||
double dTotalWeight = 0.0;
|
||||
int iSrc;
|
||||
|
||||
res->ContribRow[u].Left = iLeft;
|
||||
res->ContribRow[u].Right = iRight;
|
||||
|
||||
/* Cut edge points to fit in filter window in case of spill-off */
|
||||
if (iRight - iLeft + 1 > windows_size) {
|
||||
if (iLeft < ((int)src_size - 1 / 2)) {
|
||||
@ -944,6 +941,9 @@ static inline LineContribType *_gdContributionsCalc(unsigned int line_size, unsi
|
||||
}
|
||||
}
|
||||
|
||||
res->ContribRow[u].Left = iLeft;
|
||||
res->ContribRow[u].Right = iRight;
|
||||
|
||||
for (iSrc = iLeft; iSrc <= iRight; iSrc++) {
|
||||
dTotalWeight += (res->ContribRow[u].Weights[iSrc-iLeft] = scale_f_d * (*pFilter)(scale_f_d * (dCenter - (double)iSrc)));
|
||||
}
|
||||
@ -1096,7 +1096,7 @@ gdImagePtr Scale(const gdImagePtr src, const unsigned int src_width, const unsig
|
||||
_gdScaleHoriz(src, src_width, src_height, tmp_im, new_width, src_height);
|
||||
_gdScaleVert(tmp_im, new_width, src_height, dst, new_width, new_height);
|
||||
|
||||
gdFree(tmp_im);
|
||||
gdImageDestroy(tmp_im);
|
||||
return dst;
|
||||
}
|
||||
|
||||
|
15
ext/gd/tests/bug72227.phpt
Normal file
15
ext/gd/tests/bug72227.phpt
Normal file
@ -0,0 +1,15 @@
|
||||
--TEST--
|
||||
Bug #72227: imagescale out-of-bounds read
|
||||
--SKIPIF--
|
||||
<?php
|
||||
if (!extension_loaded('gd')) die("skip gd extension not available\n");
|
||||
?>
|
||||
--FILE--
|
||||
<?php
|
||||
|
||||
$img = imagecreatetruecolor ( 100, 100);
|
||||
imagescale($img, 13, 1, IMG_BICUBIC);
|
||||
?>
|
||||
DONE
|
||||
--EXPECT--
|
||||
DONE
|
@ -335,6 +335,7 @@ static zend_string* get_icu_value_internal( const char* loc_name , char* tag_nam
|
||||
if( U_FAILURE( status ) ) {
|
||||
if( status == U_BUFFER_OVERFLOW_ERROR ) {
|
||||
status = U_ZERO_ERROR;
|
||||
buflen++; /* add space for \0 */
|
||||
continue;
|
||||
}
|
||||
|
||||
|
14
ext/intl/tests/bug72241.phpt
Normal file
14
ext/intl/tests/bug72241.phpt
Normal file
@ -0,0 +1,14 @@
|
||||
--TEST--
|
||||
Bug #72241: get_icu_value_internal out-of-bounds read
|
||||
--SKIPIF--
|
||||
<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?>
|
||||
--FILE--
|
||||
<?php
|
||||
$var1=str_repeat("A", 1000);
|
||||
$out = locale_get_primary_language($var1);
|
||||
echo strlen($out) . PHP_EOL;
|
||||
echo unpack('H*', $out)[1] . PHP_EOL;
|
||||
--EXPECT--
|
||||
1000
|
||||
61616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161
|
||||
|
Loading…
Reference in New Issue
Block a user