New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gdImageFillToBorder stack-overflow when invalid color is used #215
Comments
|
seems related to the fix for issue #213. we silently clip the coordinates to the limits of the image now. |
|
I'm not sure If its the same issue, since I identified it on the libgd version included with php, that fixed #213 first. Also note that I'm no using big numbers on parameters. According to my testing there is no stackoverflow If I use imagecreatetruecolor. |
|
i'm not saying it's the same issue, just somewhat related |
|
Ok, sorry for the noise then :) language barrier. How does this patch look to you? It's for php's libgd though. |
|
that will make it work in the non-truecolor mode, but i think truecolor still has issues. when you factor in the different effect modes (alpha-blending, overlays, multiply), doing a set+get on a pixel might not return the exact same value you put in ( one thing i really hate about gd's API in general is its inconsistent (and uncommon) ability to signal errors. ideally,
|
|
@vapier totally agree, sadly remaining of the old APIs where we try to keep BC. also correct fix could be: |
|
ah yeah, i missed i'm not sure about that fix -- if the user requested a color that is outside of if (!im->trueColor && nc > (im->colorsTotal - 1)) {
return;
}i think we want to use that in this func. |
|
Yes that works too. Is color unsigned or signed? If the latter we must check for >0 too. |
|
it's not clear to me how a value of |
|
colorsTotal is the currently amount of colors allocated (see the color
|
|
i think you forgot to also, i think the question is still open: should |
|
We need the amount of colors allocated when it comes to save the image. We can indeed scan the image to see if a color index is used or not but it can be very slow. Also 0 is a special case and have to remain one as it is used at the background color (the 1st allocate will be the default bgd color for palette image, why gdCalloc is used to allocate the rows). |
* GD-2.2: fix #215, invalid color index, missing case for invalid border
* GD-2.2: fix #215, invalid color index, missing case for invalid border
Invalid color causes stack exhaustion by recursive call to function gdImageFillToBorder when the image used is not truecolor.
Source code:
https://github.com/php/php-src/blob/master/ext/gd/libgd/gd.c#L1811
Test script:
Expected result:
No crash
Actual result:
The text was updated successfully, but these errors were encountered: