Fix #72696: imagefilltoborder stackoverflow on truecolor images

We must not allow negative color values be passed to
gdImageFillToBorder(), because that can lead to infinite recursion
since the recursion termination condition will not necessarily be met.

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index 058f1c97598e37c902b54a672cd39da4de351ac1..3e7d27a37301f28d1d7d300457ab9ea3f2795b5f 100644 (file)
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -1747,7 +1747,7 @@ void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color)
        int leftLimit = -1, rightLimit;
        int i, restoreAlphaBlending = 0;
 
-       if (border < 0) {
+       if (border < 0 || color < 0) {
                /* Refuse to fill to a non-solid border */
                return;
        }

diff --git a/ext/gd/tests/bug72696.phpt b/ext/gd/tests/bug72696.phpt
new file mode 100644 (file)
index 0000000..4f0d9e7
--- /dev/null
+++ b/ext/gd/tests/bug72696.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #72696 (imagefilltoborder stackoverflow on truecolor images)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$im = imagecreatetruecolor(10, 10);
+imagefilltoborder($im, 0, 0, 1, -2);
+?>
+===DONE===
+--EXPECT--
+===DONE===