We must take into account the line padding, when we're reading XBM
files.
We deliberately ignore the potential integer overflow here, because
that would be caught by gdImageCreate() or even earlier if `bytes==0`,
what happens in libgd00094.phpt which we adapt accordingly.
GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.
(cherry picked from commit 5b5d9db3988b829e0b121b74bb3947f01c2796a1)
We must not pretend that there are image data if there are none. Instead
we fail reading the image file gracefully.
(cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab)
* phpsec/PHP-7.0.13:
Fixed bug #73418 Integer Overflow in "_php_imap_mail" leads to crash
Fix#72696: imagefilltoborder stackoverflow on truecolor images
Fix#72482: Ilegal write/read access caused by gdImageAALine overflow
Fix bug #73144 and bug #73341 - remove extra dtor
remove unreferenced var came in with merge
Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handle
fix version
set versions
We must not allow negative color values be passed to
gdImageFillToBorder(), because that can lead to infinite recursion
since the recursion termination condition will not necessarily be met.
(cherry picked from commit 863d37ea66)
Instead of rolling our own bounds check we use clip_1d() as it's done
in gdImageLine() and in external libgd. We must not pass the image
width and height, respectively, but rather the largest ordinate value
that is allowed to be accessed, i.e. width-1 and height-1,
respectively.
(cherry picked from commit 6499581af7)
We must not allow negative color values be passed to
gdImageFillToBorder(), because that can lead to infinite recursion
since the recursion termination condition will not necessarily be met.
Instead of rolling our own bounds check we use clip_1d() as it's done
in gdImageLine() and in external libgd. We must not pass the image
width and height, respectively, but rather the largest ordinate value
that is allowed to be accessed, i.e. width-1 and height-1,
respectively.
The color components are supposed to be in range 0..255, so we must not
cast them to `signed char`, what can be the default for `char`.
Port of <https://github.com/libgd/libgd/commit/77c8d359>.
gdImageTrueColorToPalette() is sometimes wasteful by putting multiple white
color entries into the palette. This is caused by an obvious typo, where
to avoid a division by zero when `total` is zero, `count` is checked instead
of `total`.
We fix this issue to improve the quality of the color quantization.
Cf. <https://github.com/libgd/libgd/commit/24b4550f>
No pixel of a filled arc must ever be drawn multiple times. Otherwise we get
artifacts regarding transparency. That happens with the current
implementation of gdImageFilledArc() unless gdChord or gdNoFill are set.
When gdPie is set, however, the filled arc is drawn in wedges, which are
polygons of three points, and so some overlap is natural.
To resolve the issue, we stick with the current algorithm of calculating the
wedges, but instead of drawing each polygon separately, we put the relevant
points in a large array, and draw a single polygon. That also is supposed to
improve the performance considerably.
Note that this modification will change the results when gdImageSetStyle()
or gdImageSetBrush() are used, but we believe that this modification is also
an improvement in this regard, even though it still might not make much
sense to use these functions with gdImageFilledArc().
The respective fix for libgd is
<https://github.com/libgd/libgd/commit/e7e20d6>.