PHP 5.4.45 with security fix from 5.5.37

1 files changed, 57 insertions, 0 deletions

diff --git a/bug66387.patch b/bug66387.patch
new file mode 100644
index 0000000..51291ab
--- /dev/null
+++ b/bug66387.patch
@@ -0,0 +1,57 @@
+Backported from 5.5.37 for 5.4 by Remi Collet
+
+
+From f96ebb098697908641c6d37e1149cde1f90417fd Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmb@php.net>
+Date: Mon, 20 Jul 2015 23:24:55 +0200
+Subject: [PATCH] Fix #66387: Stack overflow with imagefilltoborder
+
+The stack overflow is caused by the recursive algorithm in combination with a
+very large negative coordinate passed to gdImageFillToBorder(). As there is
+already a clipping for large positive coordinates to the width and height of
+the image, it seems to be consequent to clip to zero also.
+---
+ ext/gd/libgd/gd.c          |  4 ++++
+ ext/gd/tests/bug66387.phpt | 15 +++++++++++++++
+ 2 files changed, 19 insertions(+)
+ create mode 100644 ext/gd/tests/bug66387.phpt
+
+diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
+index d73f094..2c63aac 100644
+--- a/ext/gd/libgd/gd.c
++++ b/ext/gd/libgd/gd.c
+@@ -1770,9 +1770,13 @@ void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color)
+ 
+ 	if (x >= im->sx) {
+ 		x = im->sx - 1;
++	} else if (x < 0) {
++		x = 0;
+ 	}
+ 	if (y >= im->sy) {
+ 		y = im->sy - 1;
++	} else if (y < 0) {
++		y = 0;
+ 	}
+ 
+ 	for (i = x; i >= 0; i--) {
+diff --git a/ext/gd/tests/bug66387.phpt b/ext/gd/tests/bug66387.phpt
+new file mode 100644
+index 0000000..79c49a5
+--- /dev/null
++++ b/ext/gd/tests/bug66387.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #66387 (Stack overflow with imagefilltoborder)
++--SKIPIF--
++<?php
++if (!extension_loaded('gd')) die('skip gd extension not available!');
++?>
++--FILE--
++<?php
++$im = imagecreatetruecolor(20, 20);
++$c = imagecolorallocate($im, 255, 0, 0);
++imagefilltoborder($im, 0, -999355, $c, $c);
++echo "ready\n";
++?>
++--EXPECT--
++ready