:fix and unit test for crash issue in gdImageFillTiled

2016-01-09 06:09:52 +02:00 · 2016-01-09 06:09:52 +02:00 · e87ec88e1c
parent 73ab7c7d28
commit e87ec88e1c
5 changed files with 45 additions and 6 deletions
--- a/src/gd.c
+++ b/src/gd.c
@ -2201,9 +2201,9 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
 	FILL_PUSH(y+1, x, x, -1);
 	while (sp>stack) {
 		FILL_POP(y, x1, x2, dy);
-		for (x=x1; x>=0 && (!pts[y + x*wx2] && gdImageGetPixel(im,x,y)==oc); x--) {
+		for (x=x1; x>=0 && (!pts[y + x*wy2] && gdImageGetPixel(im,x,y)==oc); x--) {
 			nc = gdImageTileGet(im,x,y);
-			pts[y + x*wx2]=1;
+			pts[y + x*wy2]=1;
 			gdImageSetPixel(im,x, y, nc);
 		}
 		if (x>=x1) {
@ -2217,13 +2217,13 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
 		}
 		x = x1+1;
 		do {
-			for (; x<wx2 && (!pts[y + x*wx2] && gdImageGetPixel(im,x, y)==oc) ; x++) {
-				if (pts[y + x*wx2]) {
+			for (; x<wx2 && (!pts[y + x*wy2] && gdImageGetPixel(im,x, y)==oc) ; x++) {
+				if (pts[y + x*wy2]) {
 					/* we should never be here */
 					break;
 				}
 				nc = gdImageTileGet(im,x,y);
-				pts[y + x*wx2]=1;
+				pts[y + x*wy2]=1;
 				gdImageSetPixel(im, x, y, nc);
 			}
 			FILL_PUSH(y, l, x-1, dy);
@ -2232,7 +2232,7 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
 				FILL_PUSH(y, x2+1, x-1, -dy);
 			}
 skip:
-			for (x++; x<=x2 && (pts[y + x*wx2] || gdImageGetPixel(im,x, y)!=oc); x++);
+			for (x++; x<=x2 && (pts[y + x*wy2] || gdImageGetPixel(im,x, y)!=oc); x++);
 			l = x;
 		} while (x<=x2);
 	}
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@ -70,6 +70,7 @@ EXTRA_PROGRAMS = \
 	gdimagefill/bug00002_1 \
 	gdimagefill/bug00002_4 \
 	gdimagefill/bug00002_3 \
+	gdimagefill/bug00104_1 \
 	gdimagecolorclosest/gdimagecolorclosest \
 	gif/bug00005 \
 	gif/gif_im2im \
@ -167,6 +168,7 @@ check_PROGRAMS += \
 	gdimagefill/bug00002_1 \
 	gdimagefill/bug00002_4 \
 	gdimagefill/bug00002_3 \
+	gdimagefill/bug00104_1 \
 	gdimagecolorclosest/gdimagecolorclosest \
 	gif/bug00005 \
 	gif/gif_im2im \
@ -267,6 +269,7 @@ EXTRA_DIST = \
 	gdimagefill/bug00002_2_exp.png \
 	gdimagefill/bug00002_1_exp.png \
 	gdimagefill/bug00002_4_exp.png \
+	gdimagefill/bug00104_1_exp.png \
 	gif/bug00005_0.gif \
 	gif/bug00005_1.gif \
 	gif/bug00005_3.gif \
--- a/tests/gdimagefill/CMakeLists.txt
+++ b/tests/gdimagefill/CMakeLists.txt
@ -4,6 +4,7 @@ SET(TESTS_FILES
 	bug00002_2
 	bug00002_3
 	bug00002_4
+	bug00104_1
 )
 FOREACH(test_name ${TESTS_FILES})
 	add_executable(${test_name} "${test_name}.c")
--- a/tests/gdimagefill/bug00104_1.c
+++ b/tests/gdimagefill/bug00104_1.c
@ -0,0 +1,35 @@
+/* test case for outside of buffer reads/write bug in _gdImageFillTiled */
+#include "gd.h"
+#include <stdio.h>
+#include "gdtest.h"
+
+int main()
+{
+	gdImagePtr im, tile;
+	int im_white, tile_red, tile_blue;
+	int x, y, error = 0;
+	char path[1024];
+	
+	im = gdImageCreate(200, 150);
+
+	tile = gdImageCreateTrueColor(2, 2);
+	
+	tile_red = gdImageColorAllocate(tile, 255, 0, 0);
+	tile_blue = gdImageColorAllocate(tile, 0, 0, 255);
+	
+	gdImageSetPixel(tile, 0, 0, tile_red);
+	gdImageSetPixel(tile, 1, 1, tile_red);
+	gdImageSetPixel(tile, 1, 0, tile_blue);
+	gdImageSetPixel(tile, 0, 1, tile_blue);
+	
+	gdImageSetTile(im, tile);
+	gdImageFill(im, 11, 12, gdTiled);
+
+	sprintf(path, "%s/gdimagefill/bug00104_1_exp.png", GDTEST_TOP_DIR);
+	if (!gdAssertImageEqualsToFile(path, im)) {
+		error = 1;
+	}
+	
+	gdImageDestroy(im);
+	return error;
+}
--- a/tests/gdimagefill/bug00104_1_exp.png
+++ b/tests/gdimagefill/bug00104_1_exp.png