Merge branch 'PHP-7.0' into PHP-7.1

cmb69 · cmb69 · commit f6da70863f62 · 2016-10-01T00:00:46.000+02:00
diff --git a/NEWS b/NEWS
@@ -26,6 +26,7 @@ PHP                                                                        NEWS
   . Fixed bug #73159 (imagegd2(): unrecognized formats may result in corrupted
     files). (cmb)
   . Fixed bug #73161 (imagecreatefromgd2() may leak memory). (cmb)
+  . Fixed bug #73213 (Integer overflow in imageline() with antialiasing). (cmb)
 
 - JSON:
   . Fixed bug #73113 (Segfault with throwing JsonSerializable). (julien)
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
@@ -1296,7 +1296,7 @@ inline static void gdImageSetAAPixelColor(gdImagePtr im, int x, int y, int color
 void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col)
 {
 	/* keep them as 32bits */
-	long x, y, inc;
+	long x, y, inc, frac;
 	long dx, dy,tmp;
 
 	if (y1 < 0 && y2 < 0) {
@@ -1366,16 +1366,22 @@ void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col)
 			dx = x2 - x1;
 			dy = y2 - y1;
 		}
-		x = x1 << 16;
-		y = y1 << 16;
+		y = y1;
 		inc = (dy * 65536) / dx;
-		while ((x >> 16) <= x2) {
-			gdImageSetAAPixelColor(im, x >> 16, y >> 16, col, (y >> 8) & 0xFF);
-			if ((y >> 16) + 1 < im->sy) {
-				gdImageSetAAPixelColor(im, x >> 16, (y >> 16) + 1,col, (~y >> 8) & 0xFF);
+		frac = 0;
+		for (x = x1; x <= x2; x++) {
+			gdImageSetAAPixelColor(im, x, y, col, (frac >> 8) & 0xFF);
+			if (y + 1 < im->sy) {
+				gdImageSetAAPixelColor(im, x, y + 1, col, (~frac >> 8) & 0xFF);
+			}
+			frac += inc;
+			if (frac >= 65536) {
+				frac -= 65536;
+				y++;
+			} else if (frac < 0) {
+				frac += 65536;
+				y--;
 			}
-			x += (1 << 16);
-			y += inc;
 		}
 	} else {
 		if (dy < 0) {
@@ -1388,16 +1394,22 @@ void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col)
 			dx = x2 - x1;
 			dy = y2 - y1;
 		}
-		x = x1 << 16;
-		y = y1 << 16;
+		x = x1;
 		inc = (dx * 65536) / dy;
-		while ((y>>16) <= y2) {
-			gdImageSetAAPixelColor(im, x >> 16, y >> 16, col, (x >> 8) & 0xFF);
-			if ((x >> 16) + 1 < im->sx) {
-				gdImageSetAAPixelColor(im, (x >> 16) + 1, (y >> 16),col, (~x >> 8) & 0xFF);
+		frac = 0;
+		for (y = y1; y <= y2; y++) {
+			gdImageSetAAPixelColor(im, x, y, col, (frac >> 8) & 0xFF);
+			if (x + 1 < im->sx) {
+				gdImageSetAAPixelColor(im, x + 1, y, col, (~frac >> 8) & 0xFF);
+			}
+			frac += inc;
+			if (frac >= 65536) {
+				frac -= 65536;
+				x++;
+			} else if (frac < 0) {
+				frac += 65536;
+				x--;
 			}
-			x += inc;
-			y += (1<<16);
 		}
 	}
 }
diff --git a/ext/gd/tests/bug73213.phpt b/ext/gd/tests/bug73213.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #73213 (Integer overflow in imageline() with antialiasing)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+require_once __DIR__ . DIRECTORY_SEPARATOR . 'func.inc';
+
+$im = imagecreatetruecolor(32768, 1);
+$black = imagecolorallocate($im, 0, 0, 0);
+imageantialias($im, true);
+
+imageline($im, 0,0, 32767,0, $black);
+
+test_image_equals_file(__DIR__ . DIRECTORY_SEPARATOR . 'bug73213.png', $im);
+?>
+===DONE===
+--EXPECT--
+The images are equal.
+===DONE===
diff --git a/ext/gd/tests/bug73213.png b/ext/gd/tests/bug73213.png
