blob: 0d5a9d23369ab578f11989801512ac03f3254b65 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
Fix #72696: imagefilltoborder stackoverflow on truecolor images
We must not allow negative color values be passed to
gdImageFillToBorder(), because that can lead to infinite recursion
since the recursion termination condition will not necessarily be met.
Upstream-status: Backport
CVE: CVE-2016-9933
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: php-5.6.26/ext/gd/libgd/gd.c
===================================================================
--- php-5.6.26.orig/ext/gd/libgd/gd.c 2016-09-16 02:32:50.000000000 +0530
+++ php-5.6.26/ext/gd/libgd/gd.c 2017-07-07 18:18:38.079721713 +0530
@@ -1780,7 +1780,7 @@
int leftLimit = -1, rightLimit;
int i, restoreAlphaBlending = 0;
- if (border < 0) {
+ if (border < 0 || color < 0) {
/* Refuse to fill to a non-solid border */
return;
}
Index: php-5.6.26/ext/gd/tests/bug72696.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php-5.6.26/ext/gd/tests/bug72696.phpt 2017-07-07 18:19:16.939987470 +0530
@@ -0,0 +1,14 @@
+--TEST--
+Bug #72696 (imagefilltoborder stackoverflow on truecolor images)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$im = imagecreatetruecolor(10, 10);
+imagefilltoborder($im, 0, 0, 1, -2);
+?>
+===DONE===
+--EXPECT--
+===DONE===
|