Merge branch 'PHP-5.6' into PHP-7.0

* PHP-5.6: prevent invalid color index (palette only), may lead to crash Add CVE to #66387 add missing NEWS entry
2026-03-29 11:42:17 +02:00 · 2016-06-08 11:07:32 +07:00
parent 99f8a5587b 6d3fa654b7
commit 4d81bf937f
3 changed files with 54 additions and 1 deletions
--- a/6
+++ b/6
@@ -15,6 +15,9 @@ PHP                                                                        NEWS
  . Fixed bug #72308 (fastcgi_finish_request and logging environment
    variables). (Laruence)

+- GD:
+  . Fixed bug #72337 (invalid dimensions can lead to crash) (Pierre)
+
 - Intl:
  . Fixed bug #64524 (Add intl.use_exceptions to php.ini-*). (Anatol)

@@ -1005,7 +1008,8 @@ PHP                                                                        NEWS

 - GD:
  . Fixed bug #53156 (imagerectangle problem with point ordering). (cmb)
-  . Fixed bug #66387 (Stack overflow with imagefilltoborder). (cmb)
+  . Fixed bug #66387 (Stack overflow with imagefilltoborder). (CVE-2015-8874)
+    (cmb)
  . Fixed bug #70102 (imagecreatefromwebm() shifts colors). (cmb)
  . Fixed bug #66590 (imagewebp() doesn't pad to even length). (cmb)
  . Fixed bug #66882 (imagerotate by -90 degrees truncates image by 1px). (cmb)
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -1767,6 +1767,12 @@ void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color)
 		return;
 	}

+	if (!im->trueColor) {
+		if ((color > (im->colorsTotal - 1)) || (border > (im->colorsTotal - 1)) || (color < 0)) {
+			return;
+		}
+	}
+
 	restoreAlphaBlending = im->alphaBlendingFlag;
 	im->alphaBlendingFlag = 0;

--- a/ext/gd/tests/github_bug_215.phpt
+++ b/ext/gd/tests/github_bug_215.phpt
@@ -0,0 +1,43 @@
+--TEST-- 
+Github #215 (imagefilltoborder stack overflow when invalid pallete index used)
+--SKIPIF-- 
+<?php  
+if (!extension_loaded("gd")) die("skip GD not present"); 
+?> 
+--FILE--
+<?php
+$image = imagecreate( 10, 10 ); 
+$bgd = imagecolorallocate( $image, 0, 0, 0 );
+$border = imagecolorallocate( $image, 255, 0, 0 );
+$fillcolor = imagecolorallocate( $image, 255, 0, 0 );
+
+/* Use unallocated color index */
+imagefilltoborder( $image, 0,0, $border+10, $fillcolor);
+echo "#1 passes\n";
+
+/* Use negative color index */
+imagefilltoborder( $image, 0,0, -$border,  $fillcolor);
+echo "#2 passes\n";
+
+
+/* Use unallocated color index */
+imagefilltoborder( $image, 0,0, $border, $fillcolor+10);
+echo "#3 passes\n";
+
+/* Use negative color index */
+imagefilltoborder( $image, 0,0, $border, -$fillcolor);
+echo "#4 passes\n";
+
+
+/* Use negative color index */
+imagefilltoborder( $image, 0,0, $border+10, $fillcolor+10);
+echo "#5 passes";
+
+
+?> 
+--EXPECT-- 
+#1 passes
+#2 passes
+#3 passes
+#4 passes
+#5 passes