File php-CVE-2018-1000222.patch of Package php7.20976

Index: php-7.2.5/ext/gd/libgd/gd_bmp.c
===================================================================
--- php-7.2.5.orig/ext/gd/libgd/gd_bmp.c	2018-04-24 17:09:54.000000000 +0200
+++ php-7.2.5/ext/gd/libgd/gd_bmp.c	2018-08-27 16:21:13.287949435 +0200
@@ -40,6 +40,8 @@ static int bmp_read_4bit(gdImagePtr im,
 static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header);
 static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
 
+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
+
 #define BMP_DEBUG(s)
 
 static int gdBMPPutWord(gdIOCtx *out, int w)
@@ -68,8 +70,10 @@ void * gdImageBmpPtr(gdImagePtr im, int
 	void *rv;
 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
 	if (out == NULL) return NULL;
-	gdImageBmpCtx(im, out, compression);
-	rv = gdDPExtractData(out, size);
+	if (!_gdImageBmpCtx(im, out, compression))
+		rv = gdDPExtractData(out, size);
+	else
+		rv = NULL;
 	out->gd_free(out);
 	return rv;
 }
@@ -90,12 +94,18 @@ void gdImageBmp(gdImagePtr im, FILE *out
 */
 void gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
 {
+       _gdImageBmpCtx(im, out, compression);
+}
+
+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+{
 	int bitmap_size = 0, info_size, total_size, padding;
 	int i, row, xpos, pixel;
 	int error = 0;
 	unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;
 	FILE *tmpfile_for_compression = NULL;
 	gdIOCtxPtr out_original = NULL;
+	int ret = 1;
 
 	/* No compression if its true colour or we don't support seek */
 	if (im->trueColor) {
@@ -273,6 +283,7 @@ void gdImageBmpCtx(gdImagePtr im, gdIOCt
 		out_original = NULL;
 	}
 
+	ret = 0;
 cleanup:
 	if (tmpfile_for_compression) {
 #ifdef _WIN32
@@ -286,7 +297,7 @@ cleanup:
 	if (out_original) {
 		out_original->gd_free(out_original);
 	}
-	return;
+	return ret;
 }
 
 static int compress_row(unsigned char *row, int length)