Fix #79067: gdTransformAffineCopy() may use unitialized values

We port
<libgd/libgd@7a06c16>.

Author: cmb69

NEWS

@@ -24,6 +24,7 @@ PHP                                                                        NEWS
 - GD:
   . Fixed bug #78923 (Artifacts when convoluting image with transparency).
     (wilson chen)
+  . Fixed bug #79067 (gdTransformAffineCopy() may use unitialized values). (cmb)
 
 - Libxml:
   . Fixed bug #79029 (Use After Free's in XMLReader / XMLWriter). (Laruence)

ext/gd/libgd/gd_interpolation.c

@@ -2334,7 +2334,7 @@ int gdTransformAffineGetImage(gdImagePtr *dst,
  *  src_area - Rectangular region to rotate in the src image
  *
  * Returns:
- *  GD_TRUE if the affine is rectilinear or GD_FALSE
+ *  GD_TRUE on success or GD_FALSE on failure
  */
 int gdTransformAffineCopy(gdImagePtr dst,
 		  int dst_x, int dst_y,
@@ -2393,7 +2393,10 @@ int gdTransformAffineCopy(gdImagePtr dst,
 	end_y = bbox.height + (int) fabs(bbox.y);
 
 	/* Get inverse affine to let us work with destination -> source */
-	gdAffineInvert(inv, affine);
+	if (gdAffineInvert(inv, affine) == GD_FALSE) {
+		gdImageSetInterpolationMethod(src, interpolation_id_bak);
+		return GD_FALSE;
+	}
 
 	src_offset_x =  src_region->x;
 	src_offset_y =  src_region->y;

ext/gd/libgd/gd_matrix.c

@@ -55,7 +55,7 @@ int gdAffineApplyToPointF (gdPointFPtr dst, const gdPointFPtr src,
  *  <gdAffineIdentity>
  *
  * Returns:
- *  GD_TRUE if the affine is rectilinear or GD_FALSE
+ *  GD_TRUE on success or GD_FALSE on failure
  */
 int gdAffineInvert (double dst[6], const double src[6])
 {

ext/gd/tests/bug79067.phpt

@@ -0,0 +1,14 @@
+--TEST--
+Bug #79067 (gdTransformAffineCopy() may use unitialized values)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$matrix = [1, 1, 1, 1, 1, 1];
+$src = imagecreatetruecolor(8, 8);
+var_dump(imageaffine($src, $matrix));
+?>
+--EXPECT--
+bool(false)