php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72045 Stack-overflow on imagefilltoborder
Submitted: 2016-04-17 18:14 UTC Modified: 2016-06-07 10:24 UTC
From: fernando at null-life dot com Assigned: cmb (profile)
Status: Closed Package: GD related
PHP Version: 5.6.20 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2016-04-17 18:14 UTC] fernando at null-life dot com 
Description:
------------
Run test script with PHP 5.6.20.



Test script:
---------------
<?php

$img = imagecreatetruecolor (100 , 100);
imagefilltoborder($img, 100, 1, 257, -10066304);


Expected result:
----------------
No crash

Actual result:
--------------
ERROR: AddressSanitizer: stack-overflow on address 0xbf142ff8 (pc 0xb299e348 bp 0x00000064 sp 0xbf142ffc T0)
    #0 0xb299e347 in gdImageFillToBorder (/usr/lib/i386-linux-gnu/libgd.so.3+0xb347)
    #1 0xb299e507 in gdImageFillToBorder (/usr/lib/i386-linux-gnu/libgd.so.3+0xb507)
    #2 0xb299e4e7 in gdImageFillToBorder (/usr/lib/i386-linux-gnu/libgd.so.3+0xb4e7)
    ...
    #248 0xb299e4e7 in gdImageFillToBorder (/usr/lib/i386-linux-gnu/libgd.so.3+0xb4e7)
    #249 0xb299e507 in gdImageFillToBorder (/usr/lib/i386-linux-gnu/libgd.so.3+0xb507)
    #250 0xb299e4e7 in gdImageFillToBorder (/usr/lib/i386-linux-gnu/libgd.so.3+0xb4e7)

SUMMARY: AddressSanitizer: stack-overflow ??:0 gdImageFillToBorder
==8427==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-24 16:46 UTC] fernando at null-life dot com 
I think this can be closed.

This is a duplicate of https://bugs.php.net/bug.php?id=66387 when using systemwide libgd, and this was recently fixed here for libgd (CVE-2015-8874):

https://github.com/libgd/libgd/issues/213
 [2016-06-07 10:24 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2016-06-07 10:24 UTC] cmb@php.net 
> I think this can be closed.

ACK.

Bug #72350 might be a duplicate of this ticket.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Oct 27 01:00:02 2025 UTC