* PHP-5.6:
fix#72519, possible OOB using imagegif
fix#72512, invalid read or write for palette image when invalid transparent index is used
Apparently some envs miss SIZE_MAX
Fix tests
Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t
Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
Fix for bug #72558, Integer overflow error within _gdContributionsAlloc()
Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE
Fix bug #72562 - destroy var_hash properly
Fix bug #72533 (locale_accept_from_http out-of-bounds access)
Fix fir bug #72520
Fix for bug #72513
Fix for bug #72513
CS fix and comments with bug ID
Fix for HTTP_PROXY issue.
5.6.24RC1
add tests for bug #72512
Fixed bug #72512 gdImageTrueColorToPaletteBody allows arbitrary write/read access
Fixed bug #72479 - same as #72434
Conflicts:
Zend/zend_virtual_cwd.c
ext/bz2/bz2.c
ext/exif/exif.c
ext/session/session.c
ext/snmp/snmp.c
ext/standard/basic_functions.c
main/SAPI.c
main/php_variables.c
* PHP-5.5:
fix#72519, possible OOB using imagegif
fix#72512, invalid read or write for palette image when invalid transparent index is used
Apparently some envs miss SIZE_MAX
Fix tests
Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t
Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
Fix for bug #72558, Integer overflow error within _gdContributionsAlloc()
Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE
Fix bug #72562 - destroy var_hash properly
Fix bug #72533 (locale_accept_from_http out-of-bounds access)
Fix fir bug #72520
Fix for bug #72513
CS fix and comments with bug ID
Fix for HTTP_PROXY issue.
add tests for bug #72512
Fixed bug #72512 gdImageTrueColorToPaletteBody allows arbitrary write/read access
Fixed bug #72479 - same as #72434
Conflicts:
ext/bz2/bz2.c
main/SAPI.c
main/php_variables.c
* PHP-7.0.8:
iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
update NEWS
fix tests
fix build
Fix bug #72455: Heap Overflow due to integer overflows
Fix bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
Fixed ##72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
Fix bug #72407: NULL Pointer Dereference at _gdScaleVert
Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free
Fix bug #72298 pass2_no_dither out-of-bounds access
Fixed#72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
Fix bug #72262 - do not overflow int
Fix bug #72400 and #72403 - prevent signed int overflows for string lengths
Fix bug #72275: don't allow smart_str to overflow int
Fix bug #72340: Double Free Courruption in wddx_deserialize
Fix bug #72321 - use efree() for emalloc allocation
5.6.23RC1
fix NEWS
set versions
Conflicts:
configure.in
main/php_version.h
* PHP-5.6.23:
Fixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
update NEWS
fix tests
fix build
Fix bug #72455: Heap Overflow due to integer overflows
Fix bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
Fixed ##72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
Fix bug #72407: NULL Pointer Dereference at _gdScaleVert
Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free
Fix bug #72298 pass2_no_dither out-of-bounds access
Fixed#72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
Fix bug #72262 - do not overflow int
Fix bug #72400 and #72403 - prevent signed int overflows for string lengths
Fix bug #72275: don't allow smart_str to overflow int
Fix bug #72340: Double Free Courruption in wddx_deserialize
Fix bug #72321 - use efree() for emalloc allocation
5.6.23RC1
Conflicts:
configure.in
main/php_version.h
* PHP-5.5:
Fixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
update NEWS
fix tests
fix build
Fix bug #72455: Heap Overflow due to integer overflows
Fix bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
Fixed ##72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
Fix bug #72407: NULL Pointer Dereference at _gdScaleVert
Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free
Fix bug #72298 pass2_no_dither out-of-bounds access
Fixed#72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
Fix bug #72262 - do not overflow int
Fix bug #72400 and #72403 - prevent signed int overflows for string lengths
Fix bug #72275: don't allow smart_str to overflow int
Fix bug #72340: Double Free Courruption in wddx_deserialize
update NEWS
Fix#66387: Stack overflow with imagefilltoborder
Skip test which is 64bits only
5.5.37 now
Conflicts:
configure.in
ext/mcrypt/mcrypt.c
ext/spl/spl_directory.c
main/php_version.h
* PHP-5.5.37:
fix tests
fix build
Fix bug #72455: Heap Overflow due to integer overflows
Fix bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
Fixed ##72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
Fix bug #72407: NULL Pointer Dereference at _gdScaleVert
Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free
Fix bug #72298 pass2_no_dither out-of-bounds access
Fixed#72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
Fix bug #72262 - do not overflow int
Fix bug #72400 and #72403 - prevent signed int overflows for string lengths
Fix bug #72275: don't allow smart_str to overflow int
Fix bug #72340: Double Free Courruption in wddx_deserialize
As has been reported, 1-dimensional horizontal filled polygons are not drawn
at all. That is caused by the scanline algorithm used for drawing filled
polygons which skips the drawing of horizontal edges, because that is
normally not necessary. If, however, the polygon consists of horizontal
edges only, that obviously doesn't work, so we add a special case handling.
That has also been fixed in libgd with
<https://github.com/libgd/libgd/commit/f9f10fa9>.
Thick lines are drawn by gdImageFilledRectangle(), which iterates over
the x ordinate first (Z order) to apply the style pattern. While this works
fine for vertical and diagonal lines, it obviously fails for horizontal
lines, which have to be iterated over in N order.
To fix this bug, we introduce the helpers gdImageFilled(H|V)Rectangle(),
which may be reused for other purposes as well.
This is basically the same fix as libgd/libgd/c2b91dbc.
The stack overflow is caused by the recursive algorithm in combination with a
very large negative coordinate passed to gdImageFillToBorder(). As there is
already a clipping for large positive coordinates to the width and height of
the image, it seems to be consequent to clip to zero also.
- load glyph with FT_LOAD_IGNORE_TRANSFORM for bbox as final bbox is rotated at once later (fixes "double-rotation" per glyph for calculating bbox)
- reload the rotated glyph for painting after that (only if angle != 0)
- rotate the original bbox at 0,0 and do not throw away xMin/yMin (drawing-rotation is also based at "origin" point - including the bearingX, see http://www.freetype.org/freetype2/docs/glyphs/glyphs-3.html#section-3) - this fixes the "left-shift"-problem also when angle = 0
- removed "xb/yb" and use "x/y" directly for offsetting brect (no need for adding "x1/y1" and substracting "yd" later)
- removed therefore unused "yd" helper var which seems tried to fix parts of the original problems
- initialize x/y with 0 instead of -1 in php_imagettftext_common() to make image*text() and image*bbox() results identical (there was a -1px shift in image*bbox() before)
- fixed gdroundupdown() for negative numbers (-256 / 64 gives -5 instead of -4 before)
- rotate kerning-delta by given angle (fixes completely wrong kerning and therefore wrong bounding box if angle != 0)
- changed 3 tests and added a new one to test for the new (better) coordinates
The stack overflow is caused by the recursive algorithm in combination with a
very large negative coordinate passed to gdImageFillToBorder(). As there is
already a clipping for large positive coordinates to the width and height of
the image, it seems to be consequent to clip to zero also.
Contrary to imagefilledrectangle(), imagerectangle() has the documented
limitation that the given points have to be the upper left and the lower right
corner, respectively. However, libgd already caters to upper right / lower left
pairs, and not catering to the other two combinations seems to be an oversight.
The code in the bundled libgd uses libvpx and writes the riff manually. The
code generates the correct even size, but neglects the padding. It's possible
older versions of libwebp would decode this, but libwebp 0.4.0 does not.
Let's apply the patch supplied by one of the WebP developers.
ext/gd/libgd/gd_webp.c has been taken from libgd[1]. Mainly, gd_error(X) has
been subsituted by zend_error(E_ERROR, X) and BGD_DECLARE(X) by X. Further
modifications are obvious from the diff.
All GD tests are passing, what raises hope, but we need more WebP tests,
anyway.
[1] <7ec030c4f1/src/gd_webp.c>
Contrary to the external libgd, the bundled libgd doesn't use optimized
rotation algorithms for negative square angles. We fix that now.
There are other improvements in gdImageRotateInterpolated() in the external
libgd. I'll leave them out for now, in the hope that we'll be able to rejoin
the two libraries rather soon.
imagescale(..., IMG_BICUBIC) is not supposed to work with palette images, so we
fix that by converting to true color if necessary. Basically the same fix has
already been applied to the external libgd[1].
[1] <723ea520be>
To avoid drawing the corner pixels twice, gdImageRectangle() draws the vertical
lines 2 points shorter than the actual side of the rectangle. However, this
causes "whiskers" for rectangles with height 0. This patch fixes this issue and
at the same time optimizes the algorithm by drawing only a single line for zero
height and zero width rectangles.
Actually, this is not really a bug fix, but rather a simplification and
optimization in the same vein as has been done with the external libgd, but
going a small step further and joining both for loops.
From upstream d41eb72cd4
Fix build with latest libvpx 1.4.0
These new constants exist at least since 1.0.0
Compatibility ones have been droped in 1.4.0