Fix GH-17984: gd calls with array arguments.

close GH-17985

Author: devnexen

NEWS

@@ -34,6 +34,8 @@ PHP                                                                        NEWS
 - GD:
   . Fixed bug GH-17772 (imagepalettetotruecolor crash with memory_limit=2M).
     (David Carlier)
+  . Fixed bug GH-17984 (calls with arguments as array with references).
+    (David Carlier)
 
 - LDAP:
   . Fixed bug GH-17704 (ldap_search fails when $attributes contains a

ext/gd/gd.c

@@ -3417,7 +3417,7 @@ PHP_FUNCTION(imageconvolution)
 	}
 
 	for (i=0; i<3; i++) {
-		if ((var = zend_hash_index_find(Z_ARRVAL_P(hash_matrix), (i))) != NULL && Z_TYPE_P(var) == IS_ARRAY) {
+		if ((var = zend_hash_index_find_deref(Z_ARRVAL_P(hash_matrix), (i))) != NULL && Z_TYPE_P(var) == IS_ARRAY) {
 			if (zend_hash_num_elements(Z_ARRVAL_P(var)) != 3 ) {
 				zend_argument_value_error(2, "must be a 3x3 array, matrix[%d] only has %d elements", i, zend_hash_num_elements(Z_ARRVAL_P(var)));
 				RETURN_THROWS();
@@ -3697,7 +3697,7 @@ PHP_FUNCTION(imageaffine)
 	}
 
 	for (i = 0; i < nelems; i++) {
-		if ((zval_affine_elem = zend_hash_index_find(Z_ARRVAL_P(z_affine), i)) != NULL) {
+		if ((zval_affine_elem = zend_hash_index_find_deref(Z_ARRVAL_P(z_affine), i)) != NULL) {
 			switch (Z_TYPE_P(zval_affine_elem)) {
 				case IS_LONG:
 					affine[i] = Z_LVAL_P(zval_affine_elem);
@@ -3873,7 +3873,7 @@ PHP_FUNCTION(imageaffinematrixconcat)
 	}
 
 	for (i = 0; i < 6; i++) {
-		if ((tmp = zend_hash_index_find(Z_ARRVAL_P(z_m1), i)) != NULL) {
+		if ((tmp = zend_hash_index_find_deref(Z_ARRVAL_P(z_m1), i)) != NULL) {
 			switch (Z_TYPE_P(tmp)) {
 				case IS_LONG:
 					m1[i]  = Z_LVAL_P(tmp);
@@ -3890,7 +3890,7 @@ PHP_FUNCTION(imageaffinematrixconcat)
 			}
 		}
 
-		if ((tmp = zend_hash_index_find(Z_ARRVAL_P(z_m2), i)) != NULL) {
+		if ((tmp = zend_hash_index_find_deref(Z_ARRVAL_P(z_m2), i)) != NULL) {
 			switch (Z_TYPE_P(tmp)) {
 				case IS_LONG:
 					m2[i]  = Z_LVAL_P(tmp);

ext/gd/tests/gh17984.phpt

@@ -0,0 +1,44 @@
+--TEST--
+GH-17984: array of references handling
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$a = 45;
+$matrix = [&$a, 1, 3, 1, 5, 1];
+$subarray = [&$a, 0, 0];
+$matrix3 = array([0, 0, 0] , &$subarray, [0, 0, 0]);
+$src = imagecreatetruecolor(8, 8);
+var_dump(imageaffine($src, $matrix));
+var_dump(imageaffinematrixconcat($matrix, $matrix));
+var_dump(imageconvolution($src, $matrix3, 1.0, 0.0));
+$poly = imagecolorallocate($src, 255, 0, 0);
+var_dump(imagepolygon($src, array (
+        &$a,   0,
+        100, 200,
+        300, 200
+    ),
+    $poly));
+$style = [&$a, &$a];
+var_dump(imagesetstyle($src, $style)); 
+?>
+--EXPECT--
+object(GdImage)#2 (0) {
+}
+array(6) {
+  [0]=>
+  float(2028)
+  [1]=>
+  float(46)
+  [2]=>
+  float(138)
+  [3]=>
+  float(4)
+  [4]=>
+  float(233)
+  [5]=>
+  float(7)
+}
+bool(true)
+bool(true)
+bool(true)