History log of /PHP_5_5/ext/gd/libgd/gd_crop.c
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
af09d8b 05-Mar-2014 Remi Collet <remi@php.net> Fixed Bug #66815 imagecrop(): insufficient fix for NULL defer CVE-2013-7327

This amends commit 8f4a537, which aimed to correct NULL dereference because of
missing check of gdImageCreateTrueColor() / gdImageCreate() return value. That
commit checks for negative crop rectangle width and height, but
gdImageCreate*() can also return NULL when width * height overflows. Hence
NULL deref is still possible, as gdImageSaveAlpha() and gdImagePaletteCopy()
is called before dst == NULL check.

This moves NULL check to happen right after gdImageCreate*(). It also removes
width and height check before gdImageCreate*(), as the same check is done by
image create functions (with an extra warning).

From thoger redhat com
/PHP_5_5/ext/gd/libgd/gd_crop.c
464c219 28-Dec-2013 Remi Collet <remi@php.net> minor fix on previous
/PHP_5_5/ext/gd/libgd/gd_crop.c
8f4a537 28-Dec-2013 Remi Collet <remi@php.net> Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop())

Initial fix was PHP stuff
This one is libgd fix.

- filter invalid crop size
- dont try to copy on invalid position
- fix crop size when out of src image
- fix possible NULL deref
- fix possible integer overfloow
/PHP_5_5/ext/gd/libgd/gd_crop.c
72085b0 13-Jul-2013 Veres Lajos <vlajos@gmail.com> typo fixes
/PHP_5_5/ext/gd/libgd/gd_crop.c
0a55c4b 03-Mar-2013 Pierre Joye <pierre.php@gmail.com> - (s)rgb distance works way better for now, re enable threshold
/PHP_5_5/ext/gd/libgd/gd_crop.c
22aeb97 28-Feb-2013 Pierre Joye <pierre.php@gmail.com> - add todo for threshold
/PHP_5_5/ext/gd/libgd/gd_crop.c
0c32a18 28-Feb-2013 Pierre Joye <pierre.php@gmail.com> - clean and enable threshold
/PHP_5_5/ext/gd/libgd/gd_crop.c
a991360 28-Feb-2013 Pierre Joye <pierre.php@gmail.com> - add image crop support
/PHP_5_5/ext/gd/libgd/gd_crop.c