- sx/sy must be > 0 and < INT_MAX

author: Pierre Joye <pajoye@php.net> 2007-06-02 15:38:09 +0000
committer: Pierre Joye <pajoye@php.net> 2007-06-02 15:38:09 +0000
commit: f4926a042e6788af59c4679f2fe75eea8358f368 (patch)
tree: c4e0a0a69e449c624bd76fe7d142c981d1020b62 /ext
parent: 70650810adb74f6811d0094170d9e31a7876728e (diff)
download: php-git-f4926a042e6788af59c4679f2fe75eea8358f368.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 3340df0847..3f24d6ea6e 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1718,7 +1718,9 @@ PHP_FUNCTION(imagecreatetruecolor)
 	convert_to_long_ex(x_size);
 	convert_to_long_ex(y_size);
 
-	if (Z_LVAL_PP(x_size) <= 0 || Z_LVAL_PP(y_size) <= 0) {
+	if (Z_LVAL_PP(x_size) <= 0 || Z_LVAL_PP(y_size) <= 0 ||
+			Z_LVAL_PP(x_size) >= INT_MAX || Z_LVAL_PP(y_size) >= INT_MAX 
+		) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid image dimensions");
 		RETURN_FALSE;
 	}
@@ -2326,7 +2328,9 @@ PHP_FUNCTION(imagecreate)
 	convert_to_long_ex(x_size);
 	convert_to_long_ex(y_size);
 
-	if (Z_LVAL_PP(x_size) <= 0 || Z_LVAL_PP(y_size) <= 0) {
+	if (Z_LVAL_PP(x_size) <= 0 || Z_LVAL_PP(y_size) <= 0 ||
+			Z_LVAL_PP(x_size) >= INT_MAX || Z_LVAL_PP(y_size) >= INT_MAX
+		) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid image dimensions");
 		RETURN_FALSE;
 	}
author	Pierre Joye <pajoye@php.net>	2007-06-02 15:38:09 +0000
committer	Pierre Joye <pajoye@php.net>	2007-06-02 15:38:09 +0000
commit	f4926a042e6788af59c4679f2fe75eea8358f368 (patch)
tree	c4e0a0a69e449c624bd76fe7d142c981d1020b62 /ext
parent	70650810adb74f6811d0094170d9e31a7876728e (diff)
download	php-git-f4926a042e6788af59c4679f2fe75eea8358f368.tar.gz