Integer overflow in imageline() with antialiasing
| Bug #73213 | Integer overflow in imageline() with antialiasing | ||||
|---|---|---|---|---|---|
| Submitted: | 2016-09-30 20:52 UTC | Modified: | 2016-09-30 20:52 UTC | ||
| From: | cmb@php.net | Assigned: | cmb (profile) | ||
| Status: | Closed | Package: | GD related | ||
| PHP Version: | 5.6.26 | OS: | 32bit,LLP64 | ||
| Private report: | No | CVE-ID: | None | ||
[2016-09-30 20:52 UTC] cmb@php.net
Description: ------------ Drawing very large antialised lines causes integer overflows in gdImageAALine(), what can lead to strange results and even crashes. This issue had been reported upstream as <https://github.com/libgd/libgd/issues/5> and fixed, but the fix didn't yet make it to PHP's bundled libgd. Test script: --------------- <?php $im = imagecreatetruecolor(32768, 1); $black = imagecolorallocate($im, 0, 0, 0); imageantialias($im, true); imageline($im, 0,0, 32767,0, $black); imagepng($im, __DIR__ . DIRECTORY_SEPARATOR . 'aa-bug.png'); Expected result: ---------------- A PNG image with a line. Actual result: -------------- PHP crashes.
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2016-09-30 20:52 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
[2016-09-30 22:08 UTC] cmb@php.net
-Status: Assigned +Status: Closed