Fix #66387: Stack overflow with imagefilltoborder

cmb69 · weltling · commit f96ebb098697 · 2016-06-13T08:10:36.000+02:00
The stack overflow is caused by the recursive algorithm in combination with a
very large negative coordinate passed to gdImageFillToBorder(). As there is
already a clipping for large positive coordinates to the width and height of
the image, it seems to be consequent to clip to zero also.
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
@@ -1774,9 +1774,13 @@ void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color)
 
 	if (x >= im->sx) {
 		x = im->sx - 1;
+	} else if (x < 0) {
+		x = 0;
 	}
 	if (y >= im->sy) {
 		y = im->sy - 1;
+	} else if (y < 0) {
+		y = 0;
 	}
 
 	for (i = x; i >= 0; i--) {
diff --git a/ext/gd/tests/bug66387.phpt b/ext/gd/tests/bug66387.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #66387 (Stack overflow with imagefilltoborder)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available!');
+?>
+--FILE--
+<?php
+$im = imagecreatetruecolor(20, 20);
+$c = imagecolorallocate($im, 255, 0, 0);
+imagefilltoborder($im, 0, -999355, $c, $c);
+echo "ready\n";
+?>
+--EXPECT--
+ready

Original file line number	Diff line number	Diff line change
`@@ -1774,9 +1774,13 @@ void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color)`
`1774`	`1774`
`1775`	`1775`	`if (x >= im->sx) {`
`1776`	`1776`	`x = im->sx - 1;`
	`1777`	`+ } else if (x < 0) {`
	`1778`	`+ x = 0;`
`1777`	`1779`	`}`
`1778`	`1780`	`if (y >= im->sy) {`
`1779`	`1781`	`y = im->sy - 1;`
	`1782`	`+ } else if (y < 0) {`
	`1783`	`+ y = 0;`
`1780`	`1784`	`}`
`1781`	`1785`
`1782`	`1786`	`for (i = x; i >= 0; i--) {`