Hi all, I'm in the progress of updating all libraries required for ext/gd on Windows. Since libxpm hasn't been updated for quite a while (we're still shipping libxpm 3.5.12), I've attempted updating to libxpm 3.5.17. However, besides the already existing mess of needing to fetch several X11 header files from other repos, I've noticed that support for FOR_MSW builds has completely been dropped[1]. That makes it even harder to have a somewhat clean build.
Looking a bit further, I've noticed that three vulnerabilites have been fixed in libxpm 3.5.15[2]; the third one doesn't affect our builds, but the first two likely do, causing potential DoS, if crafted XPM images are read by imagecreatefromxpm() (but not by imagecreatefromstring() since this doesn't support XPM). While it should be possible to upgrade to libxpm 3.5.15 (or at least to backport the respective fixes), I don't think it makes sense to move forward supporting XPM images with ext/gd on Windows. Besides that this format is typically used on Linux, it is grossly out-dated. Even Gif is way superior, let alone PNG. Therefore I suggest dropping XPM support from ext/gd on Windows as soon as possible (might be a bit late for PHP 8.4, but might still be a good idea). Note that XBM support is unrelated, since this is handled by the bundled libgd without relying on any library. Also note that getimagesize() is also not affected, since it doesn't support XPM anyway. Any objections, or general thoughts? [1] <https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/b30fd0918f8d99aa718ede3da30f9d29f87063e1> [2] <https://lists.x.org/archives/xorg-announce/2023-January/003312.html> Christoph
