ID: 46318 Updated by: [EMAIL PROTECTED] Reported By: cndougla at linux dot vnet dot ibm dot com -Status: Open +Status: Bogus Bug Type: GD related PHP Version: 5.2.6 New Comment:
Duplicate of libgd bug #177. Previous Comments: ------------------------------------------------------------------------ [2008-10-16 19:32:09] cndougla at linux dot vnet dot ibm dot com A patch to fix the issue: diff -uNr -ur php-5.2.6.orig/ext/gd/libgd/gd.c php-5.2.6/ext/gd/libgd/gd.c --- php-5.2.6.orig/ext/gd/libgd/gd.c 2007-11-04 17:56:00.000000000 -0600 +++ php-5.2.6/ext/gd/libgd/gd.c 2008-10-16 13:03:41.000000000 -0500 @@ -1938,9 +1938,9 @@ struct seg {int y, xl, xr, dy;}; /* max depth of stack */ -#define FILL_MAX 1200000 +#define FILL_MAX ((int)(im->sy*im->sx)/4) #define FILL_PUSH(Y, XL, XR, DY) \ - if (sp<stack+FILL_MAX*10 && Y+(DY)>=0 && Y+(DY)<wy2) \ + if (sp<stack+FILL_MAX && Y+(DY)>=0 && Y+(DY)<wy2) \ {sp->y = Y; sp->xl = XL; sp->xr = XR; sp->dy = DY; sp++;} #define FILL_POP(Y, XL, XR, DY) \ ------------------------------------------------------------------------ [2008-10-16 19:30:38] cndougla at linux dot vnet dot ibm dot com Description: ------------ In gdImageFill, a stack is created for the flood fill algorithm. Originally it seems the stack was created with space for 1,200,000 structures, but that has since been commented out and the stack is now created dynamically with the depth determined by the size of the image. The macro used to push structures onto the stack was checking for overflow based on checking the current stack pointer. Instead of comparing the stack pointer to the real size of the stack, the stack pointer was compared against the size of the structure (16 bytes) * 1,200,000 * 10. I have no idea why the factor of 10 was there. This large value wraps 32-bit arithmetic all the way around such that the comparison was no longer valid, and it always seemed the stack had overflowed even before anything was pushed onto it. Reproduce code: --------------- <?php $im = imagecreatetruecolor(30, 50); imagefill($im, 0, 0, 1); // Color every pixel 1 $col = imagecolorat($im, 20, 20); echo "$col\n"; ?> Expected result: ---------------- 1 Actual result: -------------- 0 when the bug shows up. I found it to fail on ppc64 when it was built as a ppc32 userspace library, while on a ppc32 or x86 or x86_64 system it passed just fine. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=46318&edit=1