prevent signed int overflow in gdImageCopy functions#21173
Conversation
|
You need to propose (first) the change upstream instead. |
|
and you would need a new C test there. |
|
Upstream PR: libgd/libgd#982 Changes in here mirror the upstream. |
|
This has been updated to reflect the changes in the upstream (libgd/libgd#997) that have been merged. @devnexen could you give it another look? |
|
|
|
This is a backport (871c51c). Except the phpt file of course. |
|
Nice only thing I realise you target master, I would not be surprised if the bug still apply in 8.4 |
jordikroon
requested review from
Girgias,
SakiTakamachi,
TimWolla,
adoy,
arnaud-lb,
derickr,
dstogov and
kocsismate
as code owners
|
@devnexen alright, that's all sorted. It now targets PHP 8.4 as this also applies there. |
| $expected = imagecolorat($dst, 0, 0); | ||
| imagecopyresampled($dst, $src, $nearIntMax, 0, 0, 0, $w, $h, 1, 1); | ||
| assertDstUnchanged('imagecopyresampled', $dst, $expected); | ||
|
|
There was a problem hiding this comment.
Would like to see more edge cases as follows:
- A negative dstX (say -5) with a small w/h that partially overlaps the destination. That way we confirm pixels from the right part of src end up in the left of dst,
not just that nothing crashed.- A case where the source rectangle ends up empty after clipping, to make sure the resized variants don't end up dividing by zero internally.
- One run against a palette image (imagecreate(...) instead of imagecreatetruecolor(...)) for imagecopy, since that goes through a different code path.
- A very negative dstX (close to INT_MIN) as a mirror of the existing very-large-positive case.
3 participants
Fixes #21163; This affects all gdImageCopy.. functions.