From: Pierre Joye Date: Wed, 8 Jun 2016 04:06:48 +0000 (+0700) Subject: prevent invalid color index (palette only), may lead to crash X-Git-Tag: php-5.6.23RC1~2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6d3fa654b702c8762aa80ab795080f5c4464d677;p=php prevent invalid color index (palette only), may lead to crash --- diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c index 6005a69cf4..5170f4f8c0 100644 --- a/ext/gd/libgd/gd.c +++ b/ext/gd/libgd/gd.c @@ -1769,6 +1769,12 @@ void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color) return; } + if (!im->trueColor) { + if ((color > (im->colorsTotal - 1)) || (border > (im->colorsTotal - 1)) || (color < 0)) { + return; + } + } + restoreAlphaBlending = im->alphaBlendingFlag; im->alphaBlendingFlag = 0; diff --git a/ext/gd/tests/github_bug_215.phpt b/ext/gd/tests/github_bug_215.phpt new file mode 100644 index 0000000000..f44a5401e1 --- /dev/null +++ b/ext/gd/tests/github_bug_215.phpt @@ -0,0 +1,43 @@ +--TEST-- +Github #215 (imagefilltoborder stack overflow when invalid pallete index used) +--SKIPIF-- + +--FILE-- + +--EXPECT-- +#1 passes +#2 passes +#3 passes +#4 passes +#5 passes