58 lines
1.6 KiB
Diff
58 lines
1.6 KiB
Diff
Backported from 5.5.37 for 5.4 by Remi Collet
|
|
|
|
|
|
From f96ebb098697908641c6d37e1149cde1f90417fd Mon Sep 17 00:00:00 2001
|
|
From: "Christoph M. Becker" <cmb@php.net>
|
|
Date: Mon, 20 Jul 2015 23:24:55 +0200
|
|
Subject: [PATCH] Fix #66387: Stack overflow with imagefilltoborder
|
|
|
|
The stack overflow is caused by the recursive algorithm in combination with a
|
|
very large negative coordinate passed to gdImageFillToBorder(). As there is
|
|
already a clipping for large positive coordinates to the width and height of
|
|
the image, it seems to be consequent to clip to zero also.
|
|
---
|
|
ext/gd/libgd/gd.c | 4 ++++
|
|
ext/gd/tests/bug66387.phpt | 15 +++++++++++++++
|
|
2 files changed, 19 insertions(+)
|
|
create mode 100644 ext/gd/tests/bug66387.phpt
|
|
|
|
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
|
|
index d73f094..2c63aac 100644
|
|
--- a/ext/gd/libgd/gd.c
|
|
+++ b/ext/gd/libgd/gd.c
|
|
@@ -1770,9 +1770,13 @@ void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color)
|
|
|
|
if (x >= im->sx) {
|
|
x = im->sx - 1;
|
|
+ } else if (x < 0) {
|
|
+ x = 0;
|
|
}
|
|
if (y >= im->sy) {
|
|
y = im->sy - 1;
|
|
+ } else if (y < 0) {
|
|
+ y = 0;
|
|
}
|
|
|
|
for (i = x; i >= 0; i--) {
|
|
diff --git a/ext/gd/tests/bug66387.phpt b/ext/gd/tests/bug66387.phpt
|
|
new file mode 100644
|
|
index 0000000..79c49a5
|
|
--- /dev/null
|
|
+++ b/ext/gd/tests/bug66387.phpt
|
|
@@ -0,0 +1,15 @@
|
|
+--TEST--
|
|
+Bug #66387 (Stack overflow with imagefilltoborder)
|
|
+--SKIPIF--
|
|
+<?php
|
|
+if (!extension_loaded('gd')) die('skip gd extension not available!');
|
|
+?>
|
|
+--FILE--
|
|
+<?php
|
|
+$im = imagecreatetruecolor(20, 20);
|
|
+$c = imagecolorallocate($im, 255, 0, 0);
|
|
+imagefilltoborder($im, 0, -999355, $c, $c);
|
|
+echo "ready\n";
|
|
+?>
|
|
+--EXPECT--
|
|
+ready
|
