From 4d7d01d18ea10257bcb2cd7e23ad5d39a7aecd6f Mon Sep 17 00:00:00 2001 From: David Carlier Date: Wed, 12 Feb 2025 23:17:33 +0000 Subject: [PATCH] Fix GH-17772: imagepalettetotruecolor segfault on invalid truecolor pixel. close GH-17777 --- NEWS | 4 ++++ ext/gd/libgd/gd.c | 6 +++++- ext/gd/tests/gh17772.phpt | 28 ++++++++++++++++++++++++++++ 3 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 ext/gd/tests/gh17772.phpt diff --git a/NEWS b/NEWS index 40eb7b37c70..84999491ab0 100644 --- a/NEWS +++ b/NEWS @@ -18,6 +18,10 @@ PHP NEWS . Fixed bug GH-17643 (FPM with httpd ProxyPass encoded PATH_INFO env). (Jakub Zelenka) +- GD: + . Fixed bug GH-17772 (imagepalettetotruecolor crash with memory_limit=2M). + (David Carlier) + - LDAP: . Fixed bug GH-17704 (ldap_search fails when $attributes contains a non-packed array with numerical keys). (nielsdos, 7u83) diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c index 7265758696a..0bd6e4b587e 100644 --- a/ext/gd/libgd/gd.c +++ b/ext/gd/libgd/gd.c @@ -3108,7 +3108,11 @@ int gdImagePaletteToTrueColor(gdImagePtr src) const unsigned int sy = gdImageSY(src); const unsigned int sx = gdImageSX(src); - src->tpixels = (int **) gdMalloc(sizeof(int *) * sy); + // Note: do not revert back to gdMalloc() below ; reason here, + // due to a bug with a certain memory_limit INI value treshold, + // imagepalettetotruecolor crashes with even unrelated ZendMM allocations. + // See GH-17772 for an use case. + src->tpixels = (int **) gdCalloc(sizeof(int *), sy); if (src->tpixels == NULL) { return 0; } diff --git a/ext/gd/tests/gh17772.phpt b/ext/gd/tests/gh17772.phpt new file mode 100644 index 00000000000..6252a13341f --- /dev/null +++ b/ext/gd/tests/gh17772.phpt @@ -0,0 +1,28 @@ +--TEST-- +GH-17772 (imagepalettetotruecolor segfault on image deallocation) +--EXTENSIONS-- +gd +--INI-- +memory_limit=2M +--CREDITS-- +YuanchengJiang +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +Fatal error: Allowed memory size of %d bytes exhausted%s(tried to allocate %d bytes) in %s on line %d