From 7f57a366dcc353fa22e21b26e6214b26df6c86da Mon Sep 17 00:00:00 2001 From: Mattias Bengtsson Date: Sun, 4 Nov 2007 23:56:00 +0000 Subject: [PATCH] - Fixed Bug #43121 (gdImageFill with IMG_COLOR_TILED crashes httpd) --- ext/gd/libgd/gd.c | 24 ++++++++++++++++-------- ext/gd/tests/bug43121.gif | Bin 0 -> 347 bytes ext/gd/tests/bug43121.phpt | 21 +++++++++++++++++++++ 3 files changed, 37 insertions(+), 8 deletions(-) create mode 100644 ext/gd/tests/bug43121.gif create mode 100644 ext/gd/tests/bug43121.phpt diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c index 9f0e9fdc09..cfb50d4efd 100644 --- a/ext/gd/libgd/gd.c +++ b/ext/gd/libgd/gd.c @@ -2050,14 +2050,14 @@ done: static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc) { - int l, x1, x2, dy; + int i, l, x1, x2, dy; int oc; /* old pixel value */ int tiled; int wx2,wy2; /* stack of filled segments */ struct seg *stack; struct seg *sp; - char *pts; + char **pts; if (!im->tile) { return; @@ -2067,7 +2067,11 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc) tiled = nc==gdTiled; nc = gdImageTileGet(im,x,y); - pts = (char *) ecalloc(im->sy * im->sx, sizeof(char)); + + pts = (char **) ecalloc(im->sy + 1, sizeof(char *)); + for (i = 0; i < im->sy + 1; i++) { + pts[i] = (char *) ecalloc(im->sx + 1, sizeof(char)); + } stack = (struct seg *)safe_emalloc(sizeof(struct seg), ((int)(im->sy*im->sx)/4), 1); sp = stack; @@ -2080,9 +2084,9 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc) FILL_PUSH(y+1, x, x, -1); while (sp>stack) { FILL_POP(y, x1, x2, dy); - for (x=x1; x>=0 && (!pts[y + x*wx2] && gdImageGetPixel(im,x,y)==oc); x--) { + for (x=x1; x>=0 && (!pts[y][x] && gdImageGetPixel(im,x,y)==oc); x--) { nc = gdImageTileGet(im,x,y); - pts[y + x*wx2]=1; + pts[y][x] = 1; gdImageSetPixel(im,x, y, nc); } if (x>=x1) { @@ -2096,9 +2100,9 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc) } x = x1+1; do { - for (; xx2+1) { FILL_PUSH(y, x2+1, x-1, -dy); } -skip: for (x++; x<=x2 && (pts[y + x*wx2] || gdImageGetPixel(im,x, y)!=oc); x++); +skip: for(x++; x<=x2 && (pts[y][x] || gdImageGetPixel(im,x, y)!=oc); x++); l = x; } while (x<=x2); } + for(i = 0; i < im->sy + 1; i++) { + efree(pts[i]); + } + efree(pts); efree(stack); } diff --git a/ext/gd/tests/bug43121.gif b/ext/gd/tests/bug43121.gif new file mode 100644 index 0000000000000000000000000000000000000000..44caffc5e85d90a88fc82d01945be4c55b6d51dc GIT binary patch literal 347 zcmV-h0i^y%Nk%w1VL$*t0FeLy00030|NqR)%>V!YA^8LW00093EC2ui06+jh00092 zjBlc=h|Ju9OC~C8z}a&Bc^Ei~6nUBux~h>|!HwKWp1I~ms$IX~S?vy>| z&l!YrhSK6Ad0l3k+h;fWrG~8&Y*~BeroC%$Tl^+p&~tU2eRt>Kd-=xP$Ab4qM`&j_ zcr+%chuFx-=NPFN2kA!{NMpIF*-6Ct=~)FjD!OP|iJBS8TH1R08iy%)2}nx{>#Cc} zn;N^i>l+N*ODtS`tD5|~Jlu>t8*PhwTy1>)Y@LlQUD$p2ooE~0NIp4^?wt<4F0TI0 z4nI}iPA_jCpYN`Zzwh4<@Z3Ft{0ROt7_inrg#{TNbeNEu25$8bT7-B};uHJ#n`nNvam06Q89r=S1; literal 0 HcmV?d00001 diff --git a/ext/gd/tests/bug43121.phpt b/ext/gd/tests/bug43121.phpt new file mode 100644 index 0000000000..eecf7d31e2 --- /dev/null +++ b/ext/gd/tests/bug43121.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug #43121 (gdImageFill with IMG_COLOR_TILED crashes httpd) +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +OK -- 2.50.1