From: Mattias Bengtsson <mattias@php.net>
Date: Sun, 4 Nov 2007 23:57:07 +0000 (+0000)
Subject: -MFB, Fixed Bug #43121 (gdImageFill with IMG_COLOR_TILED crashes httpd)
X-Git-Tag: RELEASE_2_0_0a1~1479
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7e0ca9e1d7458eb02fc547b0e0735425a0aad352;p=php

-MFB, Fixed Bug #43121 (gdImageFill with IMG_COLOR_TILED crashes httpd)
---

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index 4c6ce99841..156031bd0c 100644
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -2047,14 +2047,14 @@ done:
 
 static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
 {
-	int l, x1, x2, dy;
+	int i, l, x1, x2, dy;
 	int oc;   /* old pixel value */
 	int tiled;
 	int wx2,wy2;
 	/* stack of filled segments */
 	struct seg *stack;
 	struct seg *sp;
-	char *pts;
+	char **pts;
 
 	if (!im->tile) {
 		return;
@@ -2064,7 +2064,11 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
 	tiled = nc==gdTiled;
 
 	nc =  gdImageTileGet(im,x,y);
-	pts = (char *) ecalloc(im->sy * im->sx, sizeof(char));
+
+	pts = (char **) ecalloc(im->sy + 1, sizeof(char *));
+	for (i = 0; i < im->sy + 1; i++) {
+		pts[i] = (char *) ecalloc(im->sx + 1, sizeof(char));
+	}
 
 	stack = (struct seg *)safe_emalloc(sizeof(struct seg), ((int)(im->sy*im->sx)/4), 1);
 	sp = stack;
@@ -2077,9 +2081,9 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
  	FILL_PUSH(y+1, x, x, -1);
 	while (sp>stack) {
 		FILL_POP(y, x1, x2, dy);
-		for (x=x1; x>=0 && (!pts[y + x*wx2] && gdImageGetPixel(im,x,y)==oc); x--) {
+		for (x=x1; x>=0 && (!pts[y][x] && gdImageGetPixel(im,x,y)==oc); x--) {
 			nc = gdImageTileGet(im,x,y);
-			pts[y + x*wx2]=1;
+			pts[y][x] = 1;
 			gdImageSetPixel(im,x, y, nc);
 		}
 		if (x>=x1) {
@@ -2093,9 +2097,9 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
 		}
 		x = x1+1;
 		do {
-			for (; x<wx2 && (!pts[y + x*wx2] && gdImageGetPixel(im,x, y)==oc) ; x++) {
+			for(; x<wx2 && (!pts[y][x] && gdImageGetPixel(im,x, y)==oc); x++) {
 				nc = gdImageTileGet(im,x,y);
-				pts[y + x*wx2]=1;
+				pts[y][x] = 1;
 				gdImageSetPixel(im, x, y, nc);
 			}
 			FILL_PUSH(y, l, x-1, dy);
@@ -2103,11 +2107,15 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
 			if (x>x2+1) {
 				FILL_PUSH(y, x2+1, x-1, -dy);
 			}
-skip:			for (x++; x<=x2 && (pts[y + x*wx2] || gdImageGetPixel(im,x, y)!=oc); x++);
+skip:		for(x++; x<=x2 && (pts[y][x] || gdImageGetPixel(im,x, y)!=oc); x++);
 			l = x;
 		} while (x<=x2);
 	}
 
+	for(i = 0; i < im->sy + 1; i++) {
+		efree(pts[i]);
+	}
+
 	efree(pts);
 	efree(stack);
 }
diff --git a/ext/gd/tests/bug43121.gif b/ext/gd/tests/bug43121.gif
new file mode 100644
index 0000000000..44caffc5e8
Binary files /dev/null and b/ext/gd/tests/bug43121.gif differ
diff --git a/ext/gd/tests/bug43121.phpt b/ext/gd/tests/bug43121.phpt
new file mode 100644
index 0000000000..eecf7d31e2
--- /dev/null
+++ b/ext/gd/tests/bug43121.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #43121 (gdImageFill with IMG_COLOR_TILED crashes httpd)
+--SKIPIF--
+<?php
+	if (!extension_loaded('gd')) die("skip gd extension not available\n");
+?>
+--FILE--
+<?php
+$im = ImageCreate( 200, 100 );
+$black = ImageColorAllocate( $im, 0, 0, 0 );
+
+$im_tile = ImageCreateFromGif( "transback.gif" );
+ImageSetTile( $im, $im_tile );
+ImageFill( $im, 0, 0, IMG_COLOR_TILED );
+
+ImageDestroy( $im );
+
+print "OK";
+?>
+--EXPECTF--
+OK