From: Pierre Joye <pajoye@php.net>
Date: Sun, 10 Dec 2006 02:08:07 +0000 (+0000)
Subject: - MFB: #39508, imagefill crashes with small image
X-Git-Tag: RELEASE_1_0_0RC1~736
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=df5d4a52f9faf041783342850b315ddc15736317;p=php

- MFB: #39508, imagefill crashes with small image
---

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index 79897145ca..13d72f1984 100644
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -1931,6 +1931,29 @@ void gdImageFill(gdImagePtr im, int x, int y, int nc)
 		return;
 	}
 
+	/* Do not use the 4 neighbors implementation with
+   * small images
+   */
+	if (im->sx < 4) {
+		int ix = x, iy = y, c;
+		do {
+			c = gdImageGetPixel(im, ix, iy);
+			if (c != oc) {
+				return;
+			}
+			gdImageSetPixel(im, ix, iy, nc);
+		} while(ix++ < (im->sx -1));
+		ix = x; iy = y + 1;
+		do {
+			c = gdImageGetPixel(im, ix, iy);
+			if (c != oc) {
+				return;
+			}
+			gdImageSetPixel(im, ix, iy, nc);
+		} while(ix++ < (im->sx -1));
+		return;
+	}
+
 	stack = (struct seg *)safe_emalloc(sizeof(struct seg), ((int)(im->sy*im->sx)/4), 1);
 	sp = stack;
 
diff --git a/ext/gd/tests/bug39508.phpt b/ext/gd/tests/bug39508.phpt
new file mode 100644
index 0000000000..9e86efc207
--- /dev/null
+++ b/ext/gd/tests/bug39508.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #39508 (imagefill crashes with small images 3 pixels or less)
+--SKIPIF--
+<?php 
+	if (!extension_loaded('gd')) die("skip gd extension not available\n"); 
+	if (!GD_BUNDLED) die('skip external GD libraries always fail');
+?>
+--FILE--
+<?php
+$im = imagecreatetruecolor(3,1);
+$bgcolor = imagecolorallocatealpha($im,255, 255, 0, 0);
+imagefill($im,0,0,$bgcolor);
+print_r(imagecolorat($im, 1,0));
+?>
+--EXPECTF--
+16776960