PHP :: Bug #73279 :: Integer overflow in gdImageScaleBilinearPalette()
| Bug #73279 | Integer overflow in gdImageScaleBilinearPalette() | ||||
|---|---|---|---|---|---|
| Submitted: | 2016-10-10 09:25 UTC | Modified: | 2016-10-10 09:25 UTC | ||
| From: | cmb@php.net | Assigned: | cmb (profile) | ||
| Status: | Closed | Package: | GD related | ||
| PHP Version: | 5.6Git-2016-10-10 (Git) | OS: | * | ||
| Private report: | No | CVE-ID: | None | ||
[2016-10-10 09:25 UTC] cmb@php.net
Description: ------------ On platforms where `char` is actually `signed char` an integer overflow can happen in `gdImageScaleBilinearPalette` due to sign extension when `red`, `green` and `blue` are passed to `gdTrueColorAlpha()`. This issue has been reported against upstream libgd[1], but as PHP's bundled libgd is affected as well, I'm forwarding. [1] <https://github.com/libgd/libgd/issues/330> Test script: --------------- <?php $src = imagecreate(100, 100); imagecolorallocate($src, 255, 255, 255); $dst = imagescale($src, 200, 200, IMG_BILINEAR_FIXED); printf("color: %x\n", imagecolorat($dst, 99, 99)); Expected result: ---------------- color: ffffff Actual result: -------------- color: fffffffffffefeff
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2016-10-10 09:25 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
[2016-10-10 10:18 UTC] cmb@php.net
-Status: Assigned +Status: Closed