Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call. Upstream bug: https://bugs.php.net/bug.php?id=66387
Upstream fix: http://git.php.net/?p=php-src.git;a=commit;h=e7f2356665c2569191a946b6fc35b437f0ae1384
This is not PHP flaw, but rather gd/libgd flaw. PHP embeds the gd library as part of its gd extension. Upstream gd bug report is still unresolved. Apparently, the issue is not yet resolved in any released gd version. https://github.com/libgd/libgd/issues/178 Additionally, in gd itself, both large positive and large negative coordinate can trigger deep recursion leading to stack overflow and crash.
This has limited impact (crash), and is triggered if gdImageFillToBorder (libgd) or imagefilltoborder (php) function is called with starting coordinate outside the image boundaries, and the function is not very likely to get called with coordinate from untrusted source. There is currently no plan to backport the fix to PHP packages in Red Hat products.
PHP patch that added upper boundary: http://git.php.net/?p=php-src.git;a=commitdiff;h=feba44546c27b0158f9ac20e72040a224b918c75 https://bugs.php.net/bug.php?id=22965
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2016:2750 https://rhn.redhat.com/errata/RHSA-2016-2750.html