diff options
Diffstat (limited to 'ext/gd/tests/bug72339.phpt')
| -rw-r--r-- | ext/gd/tests/bug72339.phpt | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt new file mode 100644 index 0000000000..2c30ee8a74 --- /dev/null +++ b/ext/gd/tests/bug72339.phpt @@ -0,0 +1,33 @@ +--TEST-- +Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow +--SKIPIF-- +<?php if (!function_exists("imagecreatefromgd2")) print "skip"; ?> +--FILE-- +<?php +$fname = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"; + +$fh = fopen($fname, "w"); +fwrite($fh, "gd2\x00"); +fwrite($fh, pack("n", 2)); +fwrite($fh, pack("n", 1)); +fwrite($fh, pack("n", 1)); +fwrite($fh, pack("n", 0x40)); +fwrite($fh, pack("n", 2)); +fwrite($fh, pack("n", 0x5AA0)); // Chunks Wide +fwrite($fh, pack("n", 0x5B00)); // Chunks Vertically +fwrite($fh, str_repeat("\x41\x41\x41\x41", 0x1000000)); // overflow data +fclose($fh); + +$im = imagecreatefromgd2($fname); + +if ($im) { + imagedestroy($im); +} +unlink($fname); + +?> +--EXPECTF-- +Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully + in %sbug72339.php on line %d + +Warning: imagecreatefromgd2(): '%sbug72339.gd' is not a valid GD2 file in %sbug72339.php on line %d |