Fix #73957: signed integer conversion in imagescale()

We must not pass values to `gdImageScale()` which cannot be represented by an `unsigned int`. Instead we return FALSE, according to what we already did for negative integers.
2024-11-24 10:24:11 +08:00 · 2018-03-10 00:17:09 +01:00 · 2018-03-10 00:17:09 +01:00 · f1b358c9a9
commit f1b358c9a9
parent 34b9f9dedf
3 changed files with 24 additions and 1 deletions
--- a/3
+++ b/3
@ -8,6 +8,9 @@ PHP                                                                        NEWS
  . Fixed bug #76044 ('date: illegal option -- -' in ./configure on FreeBSD).
    (Anatol)

+- GD:
+  . Fixed bug #73957 (signed integer conversion in imagescale()). (cmb)
+
 01 Mar 2018, PHP 7.1.15

 - Apache2Handler:
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@ -4720,7 +4720,7 @@ PHP_FUNCTION(imagescale)
 		}
 	}

-	if (tmp_h <= 0 || tmp_w <= 0) {
+	if (tmp_h <= 0 || tmp_h > INT_MAX || tmp_w <= 0 || tmp_w > INT_MAX) {
 		RETURN_FALSE;
 	}

--- a/ext/gd/tests/bug73957.phpt
+++ b/ext/gd/tests/bug73957.phpt
@ -0,0 +1,20 @@
+--TEST--
+Bug #73957 (signed integer conversion in imagescale())
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+if (PHP_INT_SIZE != 8) die('skip this test is for 64bit platforms only');
+?>
+--FILE--
+<?php
+$im = imagecreate(8, 8);
+$im = imagescale($im, 0x100000001, 1);
+var_dump($im);
+if ($im) { // which is not supposed to happen
+    var_dump(imagesx($im));
+}
+?>
+===DONE===
+--EXPECT--
+bool(false)
+===DONE===