Fix #73957: signed integer conversion in imagescale()

We must not pass values to `gdImageScale()` which cannot be represented
by an `unsigned int`.  Instead we return FALSE, according to what we
already did for negative integers.

3 files changed, 24 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 17f35a614b..566494414f 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,9 @@ PHP                                                                        NEWS
   . Fixed bug #76044 ('date: illegal option -- -' in ./configure on FreeBSD).
     (Anatol)
 
+- GD:
+  . Fixed bug #73957 (signed integer conversion in imagescale()). (cmb)
+
 01 Mar 2018, PHP 7.1.15
 
 - Apache2Handler:
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index e7667d2d2a..291e4e6859 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -4720,7 +4720,7 @@ PHP_FUNCTION(imagescale)
 		}
 	}
 
-	if (tmp_h <= 0 || tmp_w <= 0) {
+	if (tmp_h <= 0 || tmp_h > INT_MAX || tmp_w <= 0 || tmp_w > INT_MAX) {
 		RETURN_FALSE;
 	}
 
diff --git a/ext/gd/tests/bug73957.phpt b/ext/gd/tests/bug73957.phpt
new file mode 100644
index 0000000000..370956f032
--- /dev/null
+++ b/ext/gd/tests/bug73957.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #73957 (signed integer conversion in imagescale())
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+if (PHP_INT_SIZE != 8) die('skip this test is for 64bit platforms only');
+?>
+--FILE--
+<?php
+$im = imagecreate(8, 8);
+$im = imagescale($im, 0x100000001, 1);
+var_dump($im);
+if ($im) { // which is not supposed to happen
+    var_dump(imagesx($im));
+}
+?>
+===DONE===
+--EXPECT--
+bool(false)
+===DONE===