Fix bug 64823: ZTS GD fails to to find system TrueType font

cmb69 · cmb69 · commit f698c623612f · 2025-01-25T19:27:05.000+01:00
First, the `$fontfile` parameter actually supports a semicolon delimited list of fonts (as documented[1]); thus passing the full string to `VCWD_REALPATH()` or `php_check_open_basedir()` makes no sense; we could pass the individual parts, but … Second, libgd uses an elaborate font detection. There is a hard- coded `DEFAULT_PATH` which can be overridden by the environment variable `GDFONTPATH`. Semantics are like the `PATH` environment variable. If `DEFAULT_PATH` was still exposed (it is no longer as of libgd 2.1.0[2]), we could take that into account, but … External libgd can be configured with font-config support, so font aliases and even lookup patterns are supported. There is no way to cater to that upfront. Thus, we no longer interfere with libgd's font lookup. Checking the realpath was already doubtful (we didn't even use the resolved path). Lifting the open_basedir restriction is a bit more delicate, but the manual still states that open_basedir would not apply, and more relevant, not much harm can be done, because libgd only passes the found font to `FT_New_Face()` which likely fails for any non font files without any error which could reveal sensitive information. And the font file is never written. It should be noted that this solves lookup of system fonts, does not change the behavior for absolute font paths, but still does not resolve issues with relative paths to font files in ZTS environments using external libgd (our bundled libgd has a workaround for that). This particular issue cannot be solved, so users of ZTS builds still need to add `realpath(.)` to the `GDFONTPATH` as documented in the manual (or pass absolute paths as `$fontfile`). [1] <https://www.php.net/imagettftext> [2] <libgd/libgd@2a921c8> Closes GH-17366.
diff --git a/NEWS b/NEWS
@@ -35,6 +35,7 @@ PHP                                                                        NEWS
 - GD:
   . Fixed bug #68629 (Transparent artifacts when using imagerotate). (pierre,
     cmb)
+  . Fixed bug #64823 (ZTS GD fails to to find system TrueType font). (cmb)
 
 - Intl:
   . Bumped ICU requirement to ICU >= 57.1. (cmb)
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
@@ -3374,18 +3374,6 @@ static void php_imagettftext_common(INTERNAL_FUNCTION_PARAMETERS, int mode)
 		}
 	}
 
-#ifdef VIRTUAL_DIR
-	{
-		char tmp_font_path[MAXPATHLEN];
-
-		if (!VCWD_REALPATH(fontname, tmp_font_path)) {
-			fontname = NULL;
-		}
-	}
-#endif /* VIRTUAL_DIR */
-
-	PHP_GD_CHECK_OPEN_BASEDIR(fontname, "Invalid font filename");
-
 	// libgd note: Those should return const char * ideally, but backward compatibility ..
 	if (EXT) {
 		error = gdImageStringFTEx(im, brect, col, fontname, ptsize, angle, x, y, str, &strex);
