diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2016-10-25 13:23:16 +0200 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2016-11-08 13:02:19 +0100 |
| commit | a05e84c42bfbff1f2ab17dfcb3311b55ff63f0a1 (patch) | |
| tree | 6cfe23dbc4c8d7b936183ca4d0134860cfb49ca7 | |
| parent | bf00354cb75ed9523db1f7f1c88357fe1d8710ef (diff) | |
| download | php-git-a05e84c42bfbff1f2ab17dfcb3311b55ff63f0a1.tar.gz | |
Fix #72696: imagefilltoborder stackoverflow on truecolor images
We must not allow negative color values be passed to
gdImageFillToBorder(), because that can lead to infinite recursion
since the recursion termination condition will not necessarily be met.
(cherry picked from commit 863d37ea66d5c960db08d6f4a2cbd2518f0f80d1)
(cherry picked from commit 5693474997b5a804be307583fb7bc3cfcdd50aec)
| -rw-r--r-- | ext/gd/libgd/gd.c | 2 | ||||
| -rw-r--r-- | ext/gd/tests/bug72696.phpt | 14 |
2 files changed, 15 insertions, 1 deletions
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c index 0673a8d954..8d1e48dce5 100644 --- a/ext/gd/libgd/gd.c +++ b/ext/gd/libgd/gd.c @@ -1745,7 +1745,7 @@ void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color) int leftLimit = -1, rightLimit; int i, restoreAlphaBlending = 0; - if (border < 0) { + if (border < 0 || color < 0) { /* Refuse to fill to a non-solid border */ return; } diff --git a/ext/gd/tests/bug72696.phpt b/ext/gd/tests/bug72696.phpt new file mode 100644 index 0000000000..4f0d9e7f1d --- /dev/null +++ b/ext/gd/tests/bug72696.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #72696 (imagefilltoborder stackoverflow on truecolor images) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +?> +--FILE-- +<?php +$im = imagecreatetruecolor(10, 10); +imagefilltoborder($im, 0, 0, 1, -2); +?> +===DONE=== +--EXPECT-- +===DONE=== |