Skip to content

Commit b25009f

Browse files
pierrejoyepierrejoye
committed
#72482, Ilegal write/read access caused by gdImageAALine overflow
1 parent 1d69028 commit b25009f

File tree

1 file changed

+2
-47
lines changed

1 file changed

+2
-47
lines changed

ext/gd/libgd/gd.c

Lines changed: 2 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -1301,55 +1301,10 @@ void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col)
13011301
long x, y, inc;
13021302
long dx, dy,tmp;
13031303

1304-
if (y1 < 0 && y2 < 0) {
1305-
return;
1306-
}
1307-
if (y1 < 0) {
1308-
x1 += (y1 * (x1 - x2)) / (y2 - y1);
1309-
y1 = 0;
1310-
}
1311-
if (y2 < 0) {
1312-
x2 += (y2 * (x1 - x2)) / (y2 - y1);
1313-
y2 = 0;
1314-
}
1315-
1316-
/* bottom edge */
1317-
if (y1 >= im->sy && y2 >= im->sy) {
1318-
return;
1319-
}
1320-
if (y1 >= im->sy) {
1321-
x1 -= ((im->sy - y1) * (x1 - x2)) / (y2 - y1);
1322-
y1 = im->sy - 1;
1323-
}
1324-
if (y2 >= im->sy) {
1325-
x2 -= ((im->sy - y2) * (x1 - x2)) / (y2 - y1);
1326-
y2 = im->sy - 1;
1327-
}
1328-
1329-
/* left edge */
1330-
if (x1 < 0 && x2 < 0) {
1331-
return;
1332-
}
1333-
if (x1 < 0) {
1334-
y1 += (x1 * (y1 - y2)) / (x2 - x1);
1335-
x1 = 0;
1336-
}
1337-
if (x2 < 0) {
1338-
y2 += (x2 * (y1 - y2)) / (x2 - x1);
1339-
x2 = 0;
1340-
}
1341-
/* right edge */
1342-
if (x1 >= im->sx && x2 >= im->sx) {
1304+
/* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */
1305+
if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im))) {
13431306
return;
13441307
}
1345-
if (x1 >= im->sx) {
1346-
y1 -= ((im->sx - x1) * (y1 - y2)) / (x2 - x1);
1347-
x1 = im->sx - 1;
1348-
}
1349-
if (x2 >= im->sx) {
1350-
y2 -= ((im->sx - x2) * (y1 - y2)) / (x2 - x1);
1351-
x2 = im->sx - 1;
1352-
}
13531308

13541309
dx = x2 - x1;
13551310
dy = y2 - y1;

0 commit comments

Comments
 (0)