From 9dd9b5011d1b89292361981163d732b40e83eb3e Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Wed, 12 Feb 2025 23:17:33 +0000
Subject: [PATCH] Fix GH-17772: imagepalettetotruecolor segfault on invalid
 truecolor pixel.

close GH-17777
---
 ext/gd/libgd/gd.c         |  6 +++++-
 ext/gd/tests/gh17772.phpt | 28 ++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 ext/gd/tests/gh17772.phpt

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index 7265758696ad3..0bd6e4b587e9f 100644
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -3108,7 +3108,11 @@ int gdImagePaletteToTrueColor(gdImagePtr src)
 		const unsigned int sy = gdImageSY(src);
 		const unsigned int sx = gdImageSX(src);
 
-		src->tpixels = (int **) gdMalloc(sizeof(int *) * sy);
+		// Note: do not revert back to gdMalloc() below ; reason here,
+		// due to a bug with a certain memory_limit INI value treshold,
+		// imagepalettetotruecolor crashes with even unrelated ZendMM allocations.
+		// See GH-17772 for an use case.
+		src->tpixels = (int **) gdCalloc(sizeof(int *), sy);
 		if (src->tpixels == NULL) {
 			return 0;
 		}
diff --git a/ext/gd/tests/gh17772.phpt b/ext/gd/tests/gh17772.phpt
new file mode 100644
index 0000000000000..6252a13341f41
--- /dev/null
+++ b/ext/gd/tests/gh17772.phpt
@@ -0,0 +1,28 @@
+--TEST--
+GH-17772 (imagepalettetotruecolor segfault on image deallocation)
+--EXTENSIONS--
+gd
+--INI--
+memory_limit=2M
+--CREDITS--
+YuanchengJiang
+--SKIPIF--
+<?php
+if (!GD_BUNDLED) die("skip requires bundled GD library");
+?>
+--FILE--
+<?php
+function setStyleAndThickness($im, $color, $thickness)
+{
+$arr = [];
+$i = 0;
+while ($i < 16 * $thickness) {
+$arer[$i++] = $color;
+}
+}
+$im = imagecreate(800, 800);
+setStyleAndThickness($im, 0, 6);
+imagepalettetotruecolor($im);
+?>
+--EXPECTF--
+Fatal error: Allowed memory size of %d bytes exhausted%s(tried to allocate %d bytes) in %s on line %d