Merge branch 'PHP-8.3' into PHP-8.4

devnexen · devnexen · commit ed18fd073aba · 2025-02-14T15:28:48.000Z
diff --git a/NEWS b/NEWS
@@ -30,6 +30,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-17643 (FPM with httpd ProxyPass encoded PATH_INFO env).
     (Jakub Zelenka)
 
+- GD:
+  . Fixed bug GH-17772 (imagepalettetotruecolor crash with memory_limit=2M).
+    (David Carlier)
+
 - LDAP:
   . Fixed bug GH-17704 (ldap_search fails when $attributes contains a
     non-packed array with numerical keys). (nielsdos, 7u83)
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
@@ -3162,7 +3162,11 @@ int gdImagePaletteToTrueColor(gdImagePtr src)
 		const unsigned int sy = gdImageSY(src);
 		const unsigned int sx = gdImageSX(src);
 
-		src->tpixels = (int **) gdMalloc(sizeof(int *) * sy);
+		// Note: do not revert back to gdMalloc() below ; reason here,
+		// due to a bug with a certain memory_limit INI value treshold,
+		// imagepalettetotruecolor crashes with even unrelated ZendMM allocations.
+		// See GH-17772 for an use case.
+		src->tpixels = (int **) gdCalloc(sizeof(int *), sy);
 		if (src->tpixels == NULL) {
 			return 0;
 		}
diff --git a/ext/gd/tests/gh17772.phpt b/ext/gd/tests/gh17772.phpt
@@ -0,0 +1,28 @@
+--TEST--
+GH-17772 (imagepalettetotruecolor segfault on image deallocation)
+--EXTENSIONS--
+gd
+--INI--
+memory_limit=2M
+--CREDITS--
+YuanchengJiang
+--SKIPIF--
+<?php
+if (!GD_BUNDLED) die("skip requires bundled GD library");
+?>
+--FILE--
+<?php
+function setStyleAndThickness($im, $color, $thickness)
+{
+$arr = [];
+$i = 0;
+while ($i < 16 * $thickness) {
+$arer[$i++] = $color;
+}
+}
+$im = imagecreate(800, 800);
+setStyleAndThickness($im, 0, 6);
+imagepalettetotruecolor($im);
+?>
+--EXPECTF--
+Fatal error: Allowed memory size of %d bytes exhausted%s(tried to allocate %d bytes) in %s on line %d
