-MFB, Fixed Bug #43121 (gdImageFill with IMG_COLOR_TILED crashes httpd)

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index 4c6ce998414a3d3128e2a5cf27dd9059e0ca9e7b..156031bd0cc9edfbc832c79c7e3247a51b085612 100644 (file)
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -2047,14 +2047,14 @@ done:
 
 static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
 {
-       int l, x1, x2, dy;
+       int i, l, x1, x2, dy;
        int oc;   /* old pixel value */
        int tiled;
        int wx2,wy2;
        /* stack of filled segments */
        struct seg *stack;
        struct seg *sp;
-       char *pts;
+       char **pts;
 
        if (!im->tile) {
                return;
@@ -2064,7 +2064,11 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
        tiled = nc==gdTiled;
 
        nc =  gdImageTileGet(im,x,y);
-       pts = (char *) ecalloc(im->sy * im->sx, sizeof(char));
+
+       pts = (char **) ecalloc(im->sy + 1, sizeof(char *));
+       for (i = 0; i < im->sy + 1; i++) {
+               pts[i] = (char *) ecalloc(im->sx + 1, sizeof(char));
+       }
 
        stack = (struct seg *)safe_emalloc(sizeof(struct seg), ((int)(im->sy*im->sx)/4), 1);
        sp = stack;
@@ -2077,9 +2081,9 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
        FILL_PUSH(y+1, x, x, -1);
        while (sp>stack) {
                FILL_POP(y, x1, x2, dy);
-               for (x=x1; x>=0 && (!pts[y + x*wx2] && gdImageGetPixel(im,x,y)==oc); x--) {
+               for (x=x1; x>=0 && (!pts[y][x] && gdImageGetPixel(im,x,y)==oc); x--) {
                        nc = gdImageTileGet(im,x,y);
-                       pts[y + x*wx2]=1;
+                       pts[y][x] = 1;
                        gdImageSetPixel(im,x, y, nc);
                }
                if (x>=x1) {
@@ -2093,9 +2097,9 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
                }
                x = x1+1;
                do {
-                       for (; x<wx2 && (!pts[y + x*wx2] && gdImageGetPixel(im,x, y)==oc) ; x++) {
+                       for(; x<wx2 && (!pts[y][x] && gdImageGetPixel(im,x, y)==oc); x++) {
                                nc = gdImageTileGet(im,x,y);
-                               pts[y + x*wx2]=1;
+                               pts[y][x] = 1;
                                gdImageSetPixel(im, x, y, nc);
                        }
                        FILL_PUSH(y, l, x-1, dy);
@@ -2103,11 +2107,15 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
                        if (x>x2+1) {
                                FILL_PUSH(y, x2+1, x-1, -dy);
                        }
-skip:                  for (x++; x<=x2 && (pts[y + x*wx2] || gdImageGetPixel(im,x, y)!=oc); x++);
+skip:          for(x++; x<=x2 && (pts[y][x] || gdImageGetPixel(im,x, y)!=oc); x++);
                        l = x;
                } while (x<=x2);
        }
 
+       for(i = 0; i < im->sy + 1; i++) {
+               efree(pts[i]);
+       }
+
        efree(pts);
        efree(stack);
 }

diff --git a/ext/gd/tests/bug43121.gif b/ext/gd/tests/bug43121.gif
new file mode 100644 (file)
index 0000000..44caffc
Binary files /dev/null and b/ext/gd/tests/bug43121.gif differ

diff --git a/ext/gd/tests/bug43121.phpt b/ext/gd/tests/bug43121.phpt
new file mode 100644 (file)
index 0000000..eecf7d3
--- /dev/null
+++ b/ext/gd/tests/bug43121.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #43121 (gdImageFill with IMG_COLOR_TILED crashes httpd)
+--SKIPIF--
+<?php
+       if (!extension_loaded('gd')) die("skip gd extension not available\n");
+?>
+--FILE--
+<?php
+$im = ImageCreate( 200, 100 );
+$black = ImageColorAllocate( $im, 0, 0, 0 );
+
+$im_tile = ImageCreateFromGif( "transback.gif" );
+ImageSetTile( $im, $im_tile );
+ImageFill( $im, 0, 0, IMG_COLOR_TILED );
+
+ImageDestroy( $im );
+
+print "OK";
+?>
+--EXPECTF--
+OK