From 1d0f1283510757782d4898f98aae62d0c3bb58fd Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Tue, 7 Jun 2016 18:41:17 +0200
Subject: [PATCH 1/3] add missing NEWS entry

---
 NEWS | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/NEWS b/NEWS
index 7b94ee3a1e2..7df775b4a81 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2016, PHP 5.6.23
 
+- GD:
+  . Fixed bug #72337 (invalid dimensions can lead to crash) (Pierre)
+
 - Intl:
   . Fixed bug #70484 (selectordinal doesn't work with named parameters).
     (Anatol)

From 62f9d1e3ae434c3b59e6781ff890c9ba4a2ccf24 Mon Sep 17 00:00:00 2001
From: Lior Kaplan <kaplanlior@gmail.com>
Date: Tue, 7 Jun 2016 21:45:24 +0300
Subject: [PATCH 2/3] Add CVE to #66387

---
 NEWS | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 7df775b4a81..8686b862f85 100644
--- a/NEWS
+++ b/NEWS
@@ -479,7 +479,8 @@ PHP                                                                        NEWS
   
 - GD:
   . Fixed bug #53156 (imagerectangle problem with point ordering). (cmb)
-  . Fixed bug #66387 (Stack overflow with imagefilltoborder). (cmb)
+  . Fixed bug #66387 (Stack overflow with imagefilltoborder). (CVE-2015-8874)
+    (cmb)
   . Fixed bug #70102 (imagecreatefromwebm() shifts colors). (cmb)
   . Fixed bug #66590 (imagewebp() doesn't pad to even length). (cmb)
   . Fixed bug #66882 (imagerotate by -90 degrees truncates image by 1px). (cmb)

From 6d3fa654b702c8762aa80ab795080f5c4464d677 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Wed, 8 Jun 2016 11:06:48 +0700
Subject: [PATCH 3/3] prevent invalid color index (palette only), may lead to
 crash

---
 ext/gd/libgd/gd.c                |  6 +++++
 ext/gd/tests/github_bug_215.phpt | 43 ++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 ext/gd/tests/github_bug_215.phpt

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index 6005a69cf4d..5170f4f8c04 100644
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -1769,6 +1769,12 @@ void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color)
 		return;
 	}
 
+	if (!im->trueColor) {
+		if ((color > (im->colorsTotal - 1)) || (border > (im->colorsTotal - 1)) || (color < 0)) {
+			return;
+		}
+	}
+
 	restoreAlphaBlending = im->alphaBlendingFlag;
 	im->alphaBlendingFlag = 0;
 
diff --git a/ext/gd/tests/github_bug_215.phpt b/ext/gd/tests/github_bug_215.phpt
new file mode 100644
index 00000000000..f44a5401e18
--- /dev/null
+++ b/ext/gd/tests/github_bug_215.phpt
@@ -0,0 +1,43 @@
+--TEST-- 
+Github #215 (imagefilltoborder stack overflow when invalid pallete index used)
+--SKIPIF-- 
+<?php  
+if (!extension_loaded("gd")) die("skip GD not present"); 
+?> 
+--FILE--
+<?php
+$image = imagecreate( 10, 10 ); 
+$bgd = imagecolorallocate( $image, 0, 0, 0 );
+$border = imagecolorallocate( $image, 255, 0, 0 );
+$fillcolor = imagecolorallocate( $image, 255, 0, 0 );
+
+/* Use unallocated color index */
+imagefilltoborder( $image, 0,0, $border+10, $fillcolor);
+echo "#1 passes\n";
+
+/* Use negative color index */
+imagefilltoborder( $image, 0,0, -$border,  $fillcolor);
+echo "#2 passes\n";
+
+
+/* Use unallocated color index */
+imagefilltoborder( $image, 0,0, $border, $fillcolor+10);
+echo "#3 passes\n";
+
+/* Use negative color index */
+imagefilltoborder( $image, 0,0, $border, -$fillcolor);
+echo "#4 passes\n";
+
+
+/* Use negative color index */
+imagefilltoborder( $image, 0,0, $border+10, $fillcolor+10);
+echo "#5 passes";
+
+
+?> 
+--EXPECT-- 
+#1 passes
+#2 passes
+#3 passes
+#4 passes
+#5 passes