- libgd #101, imagecreatefromgd can crash if gdImageCreate fails

3 files changed, 22 insertions, 0 deletions

diff --git a/ext/gd/libgd/gd_gd.c b/ext/gd/libgd/gd_gd.c
index 2d259cdd51..55587d43e8 100644
--- a/ext/gd/libgd/gd_gd.c
+++ b/ext/gd/libgd/gd_gd.c
@@ -122,6 +122,9 @@ static gdImagePtr _gdCreateFromFile (gdIOCtx * in, int *sx, int *sy)
 	} else {
 		im = gdImageCreate(*sx, *sy);
 	}
+	if(!im) {
+		goto fail1;
+	}
 	if (!_gdGetColors(in, im, gd2xFlag)) {
 		goto fail2;
 	}
diff --git a/ext/gd/tests/libgd00101.gd b/ext/gd/tests/libgd00101.gd
new file mode 100644
index 0000000000..5516ce09c0
--- /dev/null
+++ b/ext/gd/tests/libgd00101.gd
@@ -0,0 +1 @@
+ÿýÿý
\ No newline at end of file
diff --git a/ext/gd/tests/libgd00101.phpt b/ext/gd/tests/libgd00101.phpt
new file mode 100644
index 0000000000..1c6623d2e0
--- /dev/null
+++ b/ext/gd/tests/libgd00101.phpt
@@ -0,0 +1,18 @@
+--TEST--
+libgd #101 (imagecreatefromgd can crash if gdImageCreate fails)
+--SKIPIF--
+<?php
+	if (!extension_loaded('gd')) die("skip gd extension not available\n");
+	if (!GD_BUNDLED) die("skip requires bundled GD library\n");
+?>
+--FILE--
+<?php
+$im = imagecreatefromgd(dirname(__FILE__) . '/libgd00101.gd');
+var_dump($im);
+?>
+--EXPECTF--
+Warning: imagecreatefromgd(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+ in %slibgd00101.php on line %d
+
+Warning: imagecreatefromgd(): '%slibgd00101.gd' is not a valid GD file in %slibgd00101.php on line %d
+bool(false)