mattias Sun Nov 4 23:56:00 2007 UTC
Added files: (Branch: PHP_5_2)
/php-src/ext/gd/tests bug43121.gif bug43121.phpt
Modified files:
/php-src/ext/gd/libgd gd.c
Log:
- Fixed Bug #43121 (gdImageFill with IMG_COLOR_TILED crashes httpd)
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd.c?r1=1.90.2.1.2.21&r2=1.90.2.1.2.22&diff_format=u
Index: php-src/ext/gd/libgd/gd.c
diff -u php-src/ext/gd/libgd/gd.c:1.90.2.1.2.21
php-src/ext/gd/libgd/gd.c:1.90.2.1.2.22
--- php-src/ext/gd/libgd/gd.c:1.90.2.1.2.21 Tue Sep 11 21:03:48 2007
+++ php-src/ext/gd/libgd/gd.c Sun Nov 4 23:56:00 2007
@@ -2050,14 +2050,14 @@
static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
{
- int l, x1, x2, dy;
+ int i, l, x1, x2, dy;
int oc; /* old pixel value */
int tiled;
int wx2,wy2;
/* stack of filled segments */
struct seg *stack;
struct seg *sp;
- char *pts;
+ char **pts;
if (!im->tile) {
return;
@@ -2067,7 +2067,11 @@
tiled = nc==gdTiled;
nc = gdImageTileGet(im,x,y);
- pts = (char *) ecalloc(im->sy * im->sx, sizeof(char));
+
+ pts = (char **) ecalloc(im->sy + 1, sizeof(char *));
+ for (i = 0; i < im->sy + 1; i++) {
+ pts[i] = (char *) ecalloc(im->sx + 1, sizeof(char));
+ }
stack = (struct seg *)safe_emalloc(sizeof(struct seg),
((int)(im->sy*im->sx)/4), 1);
sp = stack;
@@ -2080,9 +2084,9 @@
FILL_PUSH(y+1, x, x, -1);
while (sp>stack) {
FILL_POP(y, x1, x2, dy);
- for (x=x1; x>=0 && (!pts[y + x*wx2] &&
gdImageGetPixel(im,x,y)==oc); x--) {
+ for (x=x1; x>=0 && (!pts[y][x] && gdImageGetPixel(im,x,y)==oc);
x--) {
nc = gdImageTileGet(im,x,y);
- pts[y + x*wx2]=1;
+ pts[y][x] = 1;
gdImageSetPixel(im,x, y, nc);
}
if (x>=x1) {
@@ -2096,9 +2100,9 @@
}
x = x1+1;
do {
- for (; x<wx2 && (!pts[y + x*wx2] &&
gdImageGetPixel(im,x, y)==oc) ; x++) {
+ for(; x<wx2 && (!pts[y][x] && gdImageGetPixel(im,x,
y)==oc); x++) {
nc = gdImageTileGet(im,x,y);
- pts[y + x*wx2]=1;
+ pts[y][x] = 1;
gdImageSetPixel(im, x, y, nc);
}
FILL_PUSH(y, l, x-1, dy);
@@ -2106,11 +2110,15 @@
if (x>x2+1) {
FILL_PUSH(y, x2+1, x-1, -dy);
}
-skip: for (x++; x<=x2 && (pts[y + x*wx2] ||
gdImageGetPixel(im,x, y)!=oc); x++);
+skip: for(x++; x<=x2 && (pts[y][x] || gdImageGetPixel(im,x, y)!=oc);
x++);
l = x;
} while (x<=x2);
}
+ for(i = 0; i < im->sy + 1; i++) {
+ efree(pts[i]);
+ }
+
efree(pts);
efree(stack);
}
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/bug43121.phpt?view=markup&rev=1.1
Index: php-src/ext/gd/tests/bug43121.phpt
+++ php-src/ext/gd/tests/bug43121.phpt
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
![[PHP-CVS] cvs: php-src(PHP_5_2) /ext/gd/libgd gd.c /ext/gd/tests bug43121.gif bug43121.phpt](/search?l=php-cvs@lists.php.net&q=subject:%22%5C%5BPHP%5C-CVS%5C%5D+cvs%5C%3A+php%5C-src%5C%28PHP_5_2%5C%29+%5C%2Fext%5C%2Fgd%5C%2Flibgd+gd.c++%5C%2Fext%5C%2Fgd%5C%2Ftests+bug43121.gif+bug43121.phpt%22&o=newest){kind=link}
