File php-CVE-2016-7126.patch of Package php5.11538

m b6f13a5ef9d6280cf984826a5de012a32c396cd4 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Wed, 10 Aug 2016 00:00:14 -0700
Subject: [PATCH] Fix bug#72697 - select_colors write out-of-bounds

---
 ext/gd/gd.c                | 16 ++++++++--------
 ext/gd/tests/bug72697.phpt | 17 +++++++++++++++++
 2 files changed, 25 insertions(+), 8 deletions(-)
 create mode 100644 ext/gd/tests/bug72697.phpt

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 533dc50..cdfbaa2 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1651,11 +1651,11 @@ PHP_FUNCTION(imagetruecolortopalette)
 
 	ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd);
 
-	if (ncolors <= 0) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero");
+	if (ncolors <= 0 || ncolors > INT_MAX) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero and no more than %d", INT_MAX);
 		RETURN_FALSE;
 	}
-	gdImageTrueColorToPalette(im, dither, ncolors);
+	gdImageTrueColorToPalette(im, dither, (int)ncolors);
 
 	RETURN_TRUE;
 }