prevent invalid color index (palette only), may lead to crash

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index 6005a69cf4d7530acb0cc12df1802161fda21ef9..5170f4f8c049fb8c9f45c99cd9794cd56f58701b 100644 (file)
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -1769,6 +1769,12 @@ void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color)
                return;
        }
 
+       if (!im->trueColor) {
+               if ((color > (im->colorsTotal - 1)) || (border > (im->colorsTotal - 1)) || (color < 0)) {
+                       return;
+               }
+       }
+
        restoreAlphaBlending = im->alphaBlendingFlag;
        im->alphaBlendingFlag = 0;
 

diff --git a/ext/gd/tests/github_bug_215.phpt b/ext/gd/tests/github_bug_215.phpt
new file mode 100644 (file)
index 0000000..f44a540
--- /dev/null
+++ b/ext/gd/tests/github_bug_215.phpt
@@ -0,0 +1,43 @@
+--TEST-- 
+Github #215 (imagefilltoborder stack overflow when invalid pallete index used)
+--SKIPIF-- 
+<?php  
+if (!extension_loaded("gd")) die("skip GD not present"); 
+?> 
+--FILE--
+<?php
+$image = imagecreate( 10, 10 ); 
+$bgd = imagecolorallocate( $image, 0, 0, 0 );
+$border = imagecolorallocate( $image, 255, 0, 0 );
+$fillcolor = imagecolorallocate( $image, 255, 0, 0 );
+
+/* Use unallocated color index */
+imagefilltoborder( $image, 0,0, $border+10, $fillcolor);
+echo "#1 passes\n";
+
+/* Use negative color index */
+imagefilltoborder( $image, 0,0, -$border,  $fillcolor);
+echo "#2 passes\n";
+
+
+/* Use unallocated color index */
+imagefilltoborder( $image, 0,0, $border, $fillcolor+10);
+echo "#3 passes\n";
+
+/* Use negative color index */
+imagefilltoborder( $image, 0,0, $border, -$fillcolor);
+echo "#4 passes\n";
+
+
+/* Use negative color index */
+imagefilltoborder( $image, 0,0, $border+10, $fillcolor+10);
+echo "#5 passes";
+
+
+?> 
+--EXPECT-- 
+#1 passes
+#2 passes
+#3 passes
+#4 passes
+#5 passes