From: Ilia Alshanetsky <iliaa@php.net>
Date: Fri, 4 Apr 2003 00:29:37 +0000 (+0000)
Subject: Fixed segv as well as info about new segvs in gd.
X-Git-Tag: php-4.3.2RC2~165
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2ea7d06455254ad6da3707880be55752dd653521;p=php

Fixed segv as well as info about new segvs in gd.
---

diff --git a/TODO_SEGFAULTS b/TODO_SEGFAULTS
index 888361a0e9..c85f861fa7 100644
--- a/TODO_SEGFAULTS
+++ b/TODO_SEGFAULTS
@@ -9,10 +9,11 @@ Fixed:
     exif_imagetype,exif_thumbnail (Rasmus)
     dbase_open (Rasmus)
     array_pad (Rasmus)
-    str_repeat (Ilia)
     setlocale (Rasmus)
     unregister_tick_function (Rasmus)
     bcsub (Rasmus)
+    str_repeat (Ilia)
+    imagecopyresized (Ilia)
     mb_ereg, mb_ereg_match, mb_eregi, mb_split (Moriyoshi)
     xml_parser_create (Moriyoshi)
     ob_start (Sascha)
@@ -26,6 +27,7 @@ Open:
     mb_strcut('', 2147483647);  (2)
     chunk_split                 (3)
     socket_select               (4)
+    php_imagepolygon		(5)
 	
 (1) heap corruption, mostly visible in malloc-related calls.  Whether you see 
     this or not might depend on your libc/compiler.  Hard to track down,
@@ -74,7 +76,8 @@ Methodology
 
         echo dbase_open | php do_crash.txt
 
-
+(5) integer overflow inside php_imagepolygon and possible subsequent 
+    integer overflows inside gdlib's gdImageFilledPolygon().
 
 
 Ammendment 1.