From 57cb01a9277b6e64a68119499d9f9673b45c6184 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 9 Feb 2021 15:18:59 +0100
Subject: Properly check imagegd() signature

Unlike imagegd2(), this function only accepts two parameters,
so we should be checking for that.
---
 ext/gd/gd.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index c1329d13cf..d009b9b09a 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1785,8 +1785,18 @@ static void _php_image_output(INTERNAL_FUNCTION_PARAMETERS, int image_type, char
 
 	/* The quality parameter for gd2 stands for chunk size */
 
-	if (zend_parse_parameters(argc, "O|p!ll", &imgind, gd_image_ce, &file, &file_len, &quality, &type) == FAILURE) {
-		RETURN_THROWS();
+	switch (image_type) {
+		case PHP_GDIMG_TYPE_GD:
+			if (zend_parse_parameters(argc, "O|p!", &imgind, gd_image_ce, &file, &file_len) == FAILURE) {
+				RETURN_THROWS();
+			}
+			break;
+		case PHP_GDIMG_TYPE_GD2:
+			if (zend_parse_parameters(argc, "O|p!ll", &imgind, gd_image_ce, &file, &file_len, &quality, &type) == FAILURE) {
+				RETURN_THROWS();
+			}
+			break;
+		EMPTY_SWITCH_DEFAULT_CASE()
 	}
 
 	im = php_gd_libgdimageptr_from_zval_p(imgind);
-- 
cgit v1.2.1