diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2018-03-10 00:17:09 +0100 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2018-03-10 00:17:09 +0100 |
commit | f1b358c9a928e28e58bb23c5d5baa723df4638e0 (patch) | |
tree | 7879584c9cb1c4fb2fe9cbb24b0a53bf6b8342ec /ext/gd | |
parent | 34b9f9dedf78a01844074d595e483371a28dfdd3 (diff) | |
download | php-git-f1b358c9a928e28e58bb23c5d5baa723df4638e0.tar.gz |
Fix #73957: signed integer conversion in imagescale()
We must not pass values to `gdImageScale()` which cannot be represented
by an `unsigned int`. Instead we return FALSE, according to what we
already did for negative integers.
Diffstat (limited to 'ext/gd')
-rw-r--r-- | ext/gd/gd.c | 2 | ||||
-rw-r--r-- | ext/gd/tests/bug73957.phpt | 20 |
2 files changed, 21 insertions, 1 deletions
diff --git a/ext/gd/gd.c b/ext/gd/gd.c index e7667d2d2a..291e4e6859 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -4720,7 +4720,7 @@ PHP_FUNCTION(imagescale) } } - if (tmp_h <= 0 || tmp_w <= 0) { + if (tmp_h <= 0 || tmp_h > INT_MAX || tmp_w <= 0 || tmp_w > INT_MAX) { RETURN_FALSE; } diff --git a/ext/gd/tests/bug73957.phpt b/ext/gd/tests/bug73957.phpt new file mode 100644 index 0000000000..370956f032 --- /dev/null +++ b/ext/gd/tests/bug73957.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #73957 (signed integer conversion in imagescale()) +--SKIPIF-- +<?php +if (!extension_loaded('gd')) die('skip gd extension not available'); +if (PHP_INT_SIZE != 8) die('skip this test is for 64bit platforms only'); +?> +--FILE-- +<?php +$im = imagecreate(8, 8); +$im = imagescale($im, 0x100000001, 1); +var_dump($im); +if ($im) { // which is not supposed to happen + var_dump(imagesx($im)); +} +?> +===DONE=== +--EXPECT-- +bool(false) +===DONE=== |