From e2958a432947f16a89f196171a572abc1c506154 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 23 Jun 2016 15:53:37 +0200 Subject: PHP 5.4.45 with security fix from 5.5.37 --- bug66387.patch | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 bug66387.patch (limited to 'bug66387.patch') diff --git a/bug66387.patch b/bug66387.patch new file mode 100644 index 0000000..51291ab --- /dev/null +++ b/bug66387.patch @@ -0,0 +1,57 @@ +Backported from 5.5.37 for 5.4 by Remi Collet + + +From f96ebb098697908641c6d37e1149cde1f90417fd Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Mon, 20 Jul 2015 23:24:55 +0200 +Subject: [PATCH] Fix #66387: Stack overflow with imagefilltoborder + +The stack overflow is caused by the recursive algorithm in combination with a +very large negative coordinate passed to gdImageFillToBorder(). As there is +already a clipping for large positive coordinates to the width and height of +the image, it seems to be consequent to clip to zero also. +--- + ext/gd/libgd/gd.c | 4 ++++ + ext/gd/tests/bug66387.phpt | 15 +++++++++++++++ + 2 files changed, 19 insertions(+) + create mode 100644 ext/gd/tests/bug66387.phpt + +diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c +index d73f094..2c63aac 100644 +--- a/ext/gd/libgd/gd.c ++++ b/ext/gd/libgd/gd.c +@@ -1770,9 +1770,13 @@ void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color) + + if (x >= im->sx) { + x = im->sx - 1; ++ } else if (x < 0) { ++ x = 0; + } + if (y >= im->sy) { + y = im->sy - 1; ++ } else if (y < 0) { ++ y = 0; + } + + for (i = x; i >= 0; i--) { +diff --git a/ext/gd/tests/bug66387.phpt b/ext/gd/tests/bug66387.phpt +new file mode 100644 +index 0000000..79c49a5 +--- /dev/null ++++ b/ext/gd/tests/bug66387.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #66387 (Stack overflow with imagefilltoborder) ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECT-- ++ready -- cgit