Permalink
Browse files

-MFB, Fixed Bug #43121 (gdImageFill with IMG_COLOR_TILED crashes httpd)

  • Loading branch information...
Mattias Bengtsson
Mattias Bengtsson committed Nov 4, 2007
1 parent 2b1c1d5 commit 7e0ca9e1d7458eb02fc547b0e0735425a0aad352
Showing with 37 additions and 8 deletions.
  1. +16 −8 ext/gd/libgd/gd.c
  2. BIN ext/gd/tests/bug43121.gif
  3. +21 −0 ext/gd/tests/bug43121.phpt
View
@@ -2047,14 +2047,14 @@ skip: for (x++; x<=x2 && (gdImageGetPixel(im, x, y)!=oc); x++);
static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
{
- int l, x1, x2, dy;
+ int i, l, x1, x2, dy;
int oc; /* old pixel value */
int tiled;
int wx2,wy2;
/* stack of filled segments */
struct seg *stack;
struct seg *sp;
- char *pts;
+ char **pts;
if (!im->tile) {
return;
@@ -2064,7 +2064,11 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
tiled = nc==gdTiled;
nc = gdImageTileGet(im,x,y);
- pts = (char *) ecalloc(im->sy * im->sx, sizeof(char));
+
+ pts = (char **) ecalloc(im->sy + 1, sizeof(char *));
+ for (i = 0; i < im->sy + 1; i++) {
+ pts[i] = (char *) ecalloc(im->sx + 1, sizeof(char));
+ }
stack = (struct seg *)safe_emalloc(sizeof(struct seg), ((int)(im->sy*im->sx)/4), 1);
sp = stack;
@@ -2077,9 +2081,9 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
FILL_PUSH(y+1, x, x, -1);
while (sp>stack) {
FILL_POP(y, x1, x2, dy);
- for (x=x1; x>=0 && (!pts[y + x*wx2] && gdImageGetPixel(im,x,y)==oc); x--) {
+ for (x=x1; x>=0 && (!pts[y][x] && gdImageGetPixel(im,x,y)==oc); x--) {
nc = gdImageTileGet(im,x,y);
- pts[y + x*wx2]=1;
+ pts[y][x] = 1;
gdImageSetPixel(im,x, y, nc);
}
if (x>=x1) {
@@ -2093,21 +2097,25 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
}
x = x1+1;
do {
- for (; x<wx2 && (!pts[y + x*wx2] && gdImageGetPixel(im,x, y)==oc) ; x++) {
+ for(; x<wx2 && (!pts[y][x] && gdImageGetPixel(im,x, y)==oc); x++) {
nc = gdImageTileGet(im,x,y);
- pts[y + x*wx2]=1;
+ pts[y][x] = 1;
gdImageSetPixel(im, x, y, nc);
}
FILL_PUSH(y, l, x-1, dy);
/* leak on right? */
if (x>x2+1) {
FILL_PUSH(y, x2+1, x-1, -dy);
}
-skip: for (x++; x<=x2 && (pts[y + x*wx2] || gdImageGetPixel(im,x, y)!=oc); x++);
+skip: for(x++; x<=x2 && (pts[y][x] || gdImageGetPixel(im,x, y)!=oc); x++);
l = x;
} while (x<=x2);
}
+ for(i = 0; i < im->sy + 1; i++) {
+ efree(pts[i]);
+ }
+
efree(pts);
efree(stack);
}
View
Binary file not shown.
View
@@ -0,0 +1,21 @@
+--TEST--
+Bug #43121 (gdImageFill with IMG_COLOR_TILED crashes httpd)
+--SKIPIF--
+<?php
+ if (!extension_loaded('gd')) die("skip gd extension not available\n");
+?>
+--FILE--
+<?php
+$im = ImageCreate( 200, 100 );
+$black = ImageColorAllocate( $im, 0, 0, 0 );
+
+$im_tile = ImageCreateFromGif( "transback.gif" );
+ImageSetTile( $im, $im_tile );
+ImageFill( $im, 0, 0, IMG_COLOR_TILED );
+
+ImageDestroy( $im );
+
+print "OK";
+?>
+--EXPECTF--
+OK

0 comments on commit 7e0ca9e

Please sign in to comment.