More gd stuff.

author Ilia Alshanetsky <iliaa@php.net>

Fri, 4 Apr 2003 00:44:34 +0000 (00:44 +0000)

committer Ilia Alshanetsky <iliaa@php.net>

Fri, 4 Apr 2003 00:44:34 +0000 (00:44 +0000)
author Ilia Alshanetsky <iliaa@php.net>
Fri, 4 Apr 2003 00:44:34 +0000 (00:44 +0000)
committer Ilia Alshanetsky <iliaa@php.net>
Fri, 4 Apr 2003 00:44:34 +0000 (00:44 +0000)
diff --git a/TODO_SEGFAULTS b/TODO_SEGFAULTS

index c85f861fa71f11ba34b4b21c2accc096b4bcd86b..d3e09eda0ed249374246e3f8cfd0703fa5201a63 100644 (file)
--- a/TODO_SEGFAULTS
+++ b/TODO_SEGFAULTS
@@ -28,6 +28,7 @@ Open:
      chunk_split                 (3)
      socket_select               (4)
      php_imagepolygon           (5)
+    imagesetstyle              (6)
         
  (1) heap corruption, mostly visible in malloc-related calls.  Whether you see 
      this or not might depend on your libc/compiler.  Hard to track down,
@@ -79,6 +80,10 @@ Methodology
  (5) integer overflow inside php_imagepolygon and possible subsequent 
      integer overflows inside gdlib's gdImageFilledPolygon().
  
+(6) integer overflow if the number of elements in the array passed as
+    second argument * sizeof(int) result in an overflow.
+    gdImageSetStyle function called by this php wrapper can die for the
+    same reason.  
  
  Ammendment 1.
author	Ilia Alshanetsky <iliaa@php.net>
	Fri, 4 Apr 2003 00:44:34 +0000 (00:44 +0000)
committer	Ilia Alshanetsky <iliaa@php.net>
	Fri, 4 Apr 2003 00:44:34 +0000 (00:44 +0000)