diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2020-07-21 11:07:43 +0200 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2020-08-02 15:33:24 -0700 |
commit | ff577b04c0d250473a0ef46f8e332960fec3ca2c (patch) | |
tree | 0f18df95ba2ba05ad16d0b785460069f6c551737 | |
parent | 7355ab81763a3d6a04ac11660e6a16d58838d187 (diff) | |
download | php-git-ff577b04c0d250473a0ef46f8e332960fec3ca2c.tar.gz |
Fix #79877: getimagesize function silently truncates after a null byte
We have to check for NUL bytes if `getimagesize()` has been called.
-rw-r--r-- | ext/standard/image.c | 5 | ||||
-rw-r--r-- | ext/standard/tests/image/bug79877.phpt | 9 |
2 files changed, 14 insertions, 0 deletions
diff --git a/ext/standard/image.c b/ext/standard/image.c index c634727ea3..4e63411904 100644 --- a/ext/standard/image.c +++ b/ext/standard/image.c @@ -1478,6 +1478,11 @@ static void php_getimagesize_from_any(INTERNAL_FUNCTION_PARAMETERS, int mode) { Z_PARAM_ZVAL_DEREF(info) ZEND_PARSE_PARAMETERS_END(); + if (mode == FROM_PATH && CHECK_NULL_PATH(input, input_len)) { + php_error_docref(NULL, E_WARNING, "Invalid path"); + return; + } + if (argc == 2) { zval_ptr_dtor(info); array_init(info); diff --git a/ext/standard/tests/image/bug79877.phpt b/ext/standard/tests/image/bug79877.phpt new file mode 100644 index 0000000000..92e93e59e5 --- /dev/null +++ b/ext/standard/tests/image/bug79877.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #79877 (getimagesize function silently truncates after a null byte) +--FILE-- +<?php +var_dump(getimagesize("/tmp/a.png\0xx")); +?> +--EXPECTF-- +Warning: getimagesize(): Invalid path in %s on line %d +NULL |