From: cndougla at linux dot vnet dot ibm dot com
Operating system:
PHP version: 5.2.6
PHP Bug Type: GD related
Bug description: gdImageFill invalid stack overflow comparison
Description:
------------
In gdImageFill, a stack is created for the flood fill algorithm.
Originally it seems the stack was created with space for 1,200,000
structures, but that has since been commented out and the stack is now
created dynamically with the depth determined by the size of the image. The
macro used to push structures onto the stack was checking for overflow
based on checking the current stack pointer. Instead of comparing the stack
pointer to the real size of the stack, the stack pointer was compared
against the size of the structure (16 bytes) * 1,200,000 * 10. I have no
idea why the factor of 10 was there. This large value wraps 32-bit
arithmetic all the way around such that the comparison was no longer valid,
and it always seemed the stack had overflowed even before anything was
pushed onto it.
Reproduce code:
---------------
<?php
$im = imagecreatetruecolor(30, 50);
imagefill($im, 0, 0, 1); // Color every pixel 1
$col = imagecolorat($im, 20, 20);
echo "$col\n";
?>
Expected result:
----------------
1
Actual result:
--------------
0 when the bug shows up. I found it to fail on ppc64 when it was built as
a ppc32 userspace library, while on a ppc32 or x86 or x86_64 system it
passed just fine.
--
Edit bug report at http://bugs.php.net/?id=46318&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=46318&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=46318&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=46318&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=46318&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=46318&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=46318&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=46318&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=46318&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=46318&r=support
Expected behavior: http://bugs.php.net/fix.php?id=46318&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=46318&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=46318&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=46318&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=46318&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=46318&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=46318&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=46318&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=46318&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=46318&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=46318&r=mysqlcfg
