We must take into account the line padding, when we're reading XBM
files.
We deliberately ignore the potential integer overflow here, because
that would be caught by gdImageCreate() or even earlier if `bytes==0`,
what happens in libgd00094.phpt which we adapt accordingly.
GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.
(cherry picked from commit 5b5d9db3988b829e0b121b74bb3947f01c2796a1)
We must not pretend that there are image data if there are none. Instead
we fail reading the image file gracefully.
(cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab)
We add PHP bindings for libgd's features to read and write BMP files, which
are available as of libgd 2.1.0.
As PHP's bundled libgd doesn't yet include the respective features of the
external libgd, we add these.
* PHP-7.1:
Fixed bug #73418 Integer Overflow in "_php_imap_mail" leads to crash
Fixed bug #73418 Integer Overflow in "_php_imap_mail" leads to crash
Fix#72696: imagefilltoborder stackoverflow on truecolor images
Fix#72482: Ilegal write/read access caused by gdImageAALine overflow
Fix bug #73144 and bug #73341 - remove extra dtor
remove unreferenced var came in with merge
Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handle
Fix#72696: imagefilltoborder stackoverflow on truecolor images
Fix#72482: Ilegal write/read access caused by gdImageAALine overflow
fix version
set versions
Fix bug #73144 and bug #73341 - remove extra dtor
Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handle
* phpsec/PHP-7.0.13:
Fixed bug #73418 Integer Overflow in "_php_imap_mail" leads to crash
Fix#72696: imagefilltoborder stackoverflow on truecolor images
Fix#72482: Ilegal write/read access caused by gdImageAALine overflow
Fix bug #73144 and bug #73341 - remove extra dtor
remove unreferenced var came in with merge
Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handle
fix version
set versions
We must not allow negative color values be passed to
gdImageFillToBorder(), because that can lead to infinite recursion
since the recursion termination condition will not necessarily be met.
(cherry picked from commit 863d37ea66)
Instead of rolling our own bounds check we use clip_1d() as it's done
in gdImageLine() and in external libgd. We must not pass the image
width and height, respectively, but rather the largest ordinate value
that is allowed to be accessed, i.e. width-1 and height-1,
respectively.
(cherry picked from commit 6499581af7)
We must not allow negative color values be passed to
gdImageFillToBorder(), because that can lead to infinite recursion
since the recursion termination condition will not necessarily be met.
Instead of rolling our own bounds check we use clip_1d() as it's done
in gdImageLine() and in external libgd. We must not pass the image
width and height, respectively, but rather the largest ordinate value
that is allowed to be accessed, i.e. width-1 and height-1,
respectively.
This issue has actually already been fixed with commit 46f2c690. We're
adding a regression test and a NEWS entry, and also port the fix in
gdImageCropThreshold() from libgd:
* <b347e034>
* <46f2c690>
The color components are supposed to be in range 0..255, so we must not
cast them to `signed char`, what can be the default for `char`.
Port of <77c8d359>.
There's no need anymore to call an own error handler directly. Instead we
register our error handler and call libgd's error functions (which will
forward). We do this regardless of compiling with the bundled or an external
libgd.
gdImageOpenPolygon() has been introduced with líbgd 2.0.29, so we finally
add a PHP binding for it, and port the respective libgd functionality to
PHP's bundled libgd.
gdLayerMultiply() has been introduced in libgd 2.1.1, and as such would have
been already available for imagelayereffect() with a system libgd. We port
the respective code to the bundled libgd, and also make IMG_EFFECT_MULTIPLY
available to userland.
Instead of rolling our own in the bundled libgd, we use libgd's anti-aliased
drawing API. This way imageantialias() is also available, when built against
a system libgd.
Curiously, while the external GD claims "just a few vestiges after switching
to the fast, memory-cheap implementation from PHP-gd", that stuff was still
in the bundled GD.
