Fix #70052: getimagesize() fails for very large and very small WBMP

Very large WBMP (width or height greater than 2**31-1) cause an overflow and
circumvent the size limitation of 2048x2048 px. Very small WBMP (less than 12
bytes) cause a read error and are not recognized. This patch fixes both bugs.

4 files changed, 39 insertions, 7 deletions

diff --git a/ext/standard/image.c b/ext/standard/image.c
index 426a0990b6..a240493677 100644
--- a/ext/standard/image.c
+++ b/ext/standard/image.c
@@ -969,6 +969,10 @@ static int php_get_wbmp(php_stream *stream, struct gfxinfo **result, int check T
 			return 0;
 		}
 		width = (width << 7) | (i & 0x7f);
+        /* maximum valid width for wbmp (although 127 may be a more accurate one) */
+        if (width > 2048) {
+            return 0;
+        }
 	} while (i & 0x80);
 	
 	/* get height */
@@ -978,10 +982,13 @@ static int php_get_wbmp(php_stream *stream, struct gfxinfo **result, int check T
 			return 0;
 		}
 		height = (height << 7) | (i & 0x7f);
+        /* maximum valid heigth for wbmp (although 127 may be a more accurate one) */
+        if (height > 2048) {
+            return 0;
+        }
 	} while (i & 0x80);
 
-	/* maximum valid sizes for wbmp (although 127x127 may be a more accurate one) */
-	if (!height || !width || height > 2048 || width > 2048) {
+	if (!height || !width) {
 		return 0;
 	}
 	
@@ -1223,6 +1230,7 @@ PHP_FUNCTION(image_type_to_extension)
 PHPAPI int php_getimagetype(php_stream * stream, char *filetype TSRMLS_DC)
 {
 	char tmp[12];
+    int twelve_bytes_read;
 
 	if ( !filetype) filetype = tmp;
 	if((php_stream_read(stream, filetype, 3)) != 3) {
@@ -1273,12 +1281,11 @@ PHPAPI int php_getimagetype(php_stream * stream, char *filetype TSRMLS_DC)
 		return IMAGE_FILETYPE_ICO;
 	}
 
-	if (php_stream_read(stream, filetype+4, 8) != 8) {
-		php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Read error!");
-		return IMAGE_FILETYPE_UNKNOWN;
-	}
+    /* WBMP may be smaller than 12 bytes, so delay error */
+	twelve_bytes_read = (php_stream_read(stream, filetype+4, 8) == 8);
+    
 /* BYTES READ: 12 */
-   	if (!memcmp(filetype, php_sig_jp2, 12)) {
+   	if (twelve_bytes_read && !memcmp(filetype, php_sig_jp2, 12)) {
 		return IMAGE_FILETYPE_JP2;
 	}
 
@@ -1286,6 +1293,10 @@ PHPAPI int php_getimagetype(php_stream * stream, char *filetype TSRMLS_DC)
 	if (php_get_wbmp(stream, NULL, 1 TSRMLS_CC)) {
 		return IMAGE_FILETYPE_WBMP;
 	}
+    if (!twelve_bytes_read) {
+		php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Read error!");
+		return IMAGE_FILETYPE_UNKNOWN;
+    }
 	if (php_get_xbm(stream, NULL TSRMLS_CC)) {
 		return IMAGE_FILETYPE_XBM;
 	}
diff --git a/ext/standard/tests/image/bug70052.phpt b/ext/standard/tests/image/bug70052.phpt
new file mode 100644
index 0000000000..76ebda92b2
--- /dev/null
+++ b/ext/standard/tests/image/bug70052.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #70052 (getimagesize() fails for very large and very small WBMP)
+--FILE--
+<?php
+var_dump(getimagesize(__DIR__ . '/bug70052_1.wbmp'));
+var_dump(getimagesize(__DIR__ . '/bug70052_2.wbmp'));
+?>
+--EXPECT--
+bool(false)
+array(5) {
+  [0]=>
+  int(3)
+  [1]=>
+  int(3)
+  [2]=>
+  int(15)
+  [3]=>
+  string(20) "width="3" height="3""
+  ["mime"]=>
+  string(18) "image/vnd.wap.wbmp"
+}
diff --git a/ext/standard/tests/image/bug70052_1.wbmp b/ext/standard/tests/image/bug70052_1.wbmp
new file mode 100644
index 0000000000..2c32f379ae
--- /dev/null
+++ b/ext/standard/tests/image/bug70052_1.wbmp
diff --git a/ext/standard/tests/image/bug70052_2.wbmp b/ext/standard/tests/image/bug70052_2.wbmp
new file mode 100644
index 0000000000..d0f4313fc1
--- /dev/null
+++ b/ext/standard/tests/image/bug70052_2.wbmp