MFH: Fixed bug #29443 (Sanity check for wbmp detection).

author: Ilia Alshanetsky <iliaa@php.net> 2004-07-30 01:10:46 +0000
committer: Ilia Alshanetsky <iliaa@php.net> 2004-07-30 01:10:46 +0000
commit: ef6cfdbec3d862b12bc407e0e528f2daf3f0e14b (patch)
tree: 13354a5f718e14877573a31d569a7a0ec8808a28
parent: 00f869c0a77f666523342071dc1bae6026f03feb (diff)
download: php-git-ef6cfdbec3d862b12bc407e0e528f2daf3f0e14b.tar.gz
2 files changed, 6 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 7c71198bfb..dfadf5a217 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,7 @@ PHP 4                                                                      NEWS
 - Updated PCRE to provide better error handling in certain cases. (Andrei)
 - NSAPI: added "bucket" parameter to list of non-php.ini-keys of php4_execute
   for doing performance stats without warnings in server-log. (Uwe Schindler)
+- Fixed bug #29443 (Sanity check for wbmp detection). (Ilia)
 - Fixed bug #29369 (Uploaded files with ' or " in their names get their names
   truncated at those characters). (Ilia)
 - Fixed bug #29349 (imagecreatefromstring() crashes with external GD library).
diff --git a/ext/standard/image.c b/ext/standard/image.c
index cef34dd8d1..b0782e3780 100644
--- a/ext/standard/image.c
+++ b/ext/standard/image.c
@@ -940,6 +940,11 @@ static int php_get_wbmp(php_stream *stream, struct gfxinfo **result, int check T
 		}
 		height = (height << 7) | (i & 0x7f);
 	} while (i & 0x80);
+
+	/* maximum valid sizes for wbmp (although 127x127 may be a more accurate one) */
+	if (height > 2048 || width > 2048) {
+		return 0;
+	}
 	
 	if (!check) {
 		(*result)->width = width;
author	Ilia Alshanetsky <iliaa@php.net>	2004-07-30 01:10:46 +0000
committer	Ilia Alshanetsky <iliaa@php.net>	2004-07-30 01:10:46 +0000
commit	ef6cfdbec3d862b12bc407e0e528f2daf3f0e14b (patch)
tree	13354a5f718e14877573a31d569a7a0ec8808a28
parent	00f869c0a77f666523342071dc1bae6026f03feb (diff)
download	php-git-ef6cfdbec3d862b12bc407e0e528f2daf3f0e14b.tar.gz