ID: 46318
Updated by: [EMAIL PROTECTED]
Reported By: cndougla at linux dot vnet dot ibm dot com
-Status: Open
+Status: Bogus
Bug Type: GD related
PHP Version: 5.2.6
New Comment:
Duplicate of libgd bug #177.
Previous Comments:
------------------------------------------------------------------------
[2008-10-16 19:32:09] cndougla at linux dot vnet dot ibm dot com
A patch to fix the issue:
diff -uNr -ur php-5.2.6.orig/ext/gd/libgd/gd.c
php-5.2.6/ext/gd/libgd/gd.c
--- php-5.2.6.orig/ext/gd/libgd/gd.c 2007-11-04 17:56:00.000000000
-0600
+++ php-5.2.6/ext/gd/libgd/gd.c 2008-10-16 13:03:41.000000000 -0500
@@ -1938,9 +1938,9 @@
struct seg {int y, xl, xr, dy;};
/* max depth of stack */
-#define FILL_MAX 1200000
+#define FILL_MAX ((int)(im->sy*im->sx)/4)
#define FILL_PUSH(Y, XL, XR, DY) \
- if (sp<stack+FILL_MAX*10 && Y+(DY)>=0 && Y+(DY)<wy2) \
+ if (sp<stack+FILL_MAX && Y+(DY)>=0 && Y+(DY)<wy2) \
{sp->y = Y; sp->xl = XL; sp->xr = XR; sp->dy = DY; sp++;}
#define FILL_POP(Y, XL, XR, DY) \
------------------------------------------------------------------------
[2008-10-16 19:30:38] cndougla at linux dot vnet dot ibm dot com
Description:
------------
In gdImageFill, a stack is created for the flood fill algorithm.
Originally it seems the stack was created with space for 1,200,000
structures, but that has since been commented out and the stack is now
created dynamically with the depth determined by the size of the image.
The macro used to push structures onto the stack was checking for
overflow based on checking the current stack pointer. Instead of
comparing the stack pointer to the real size of the stack, the stack
pointer was compared against the size of the structure (16 bytes) *
1,200,000 * 10. I have no idea why the factor of 10 was there. This
large value wraps 32-bit arithmetic all the way around such that the
comparison was no longer valid, and it always seemed the stack had
overflowed even before anything was pushed onto it.
Reproduce code:
---------------
<?php
$im = imagecreatetruecolor(30, 50);
imagefill($im, 0, 0, 1); // Color every pixel 1
$col = imagecolorat($im, 20, 20);
echo "$col\n";
?>
Expected result:
----------------
1
Actual result:
--------------
0 when the bug shows up. I found it to fail on ppc64 when it was built
as a ppc32 userspace library, while on a ppc32 or x86 or x86_64 system
it passed just fine.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=46318&edit=1
