Permalink
Browse files

[security] Bug #73957: signed integer conversion in imagescale()

  • Loading branch information...
paulbiss committed May 2, 2018
1 parent 9210e57 commit 5d0afa03d246fcbbccccd813cb9cd727e8d04f47
@@ -4408,7 +4408,7 @@ Variant HHVM_FUNCTION(imagescale, const Resource& image, int64_t newwidth,
newheight = newwidth * src_y / src_x;
}
}
if (newheight <= 0 || newwidth <= 0) {
if (newheight <= 0 || newheight > INT_MAX || newwidth <= 0 || newwidth > INT_MAX) {
return false;
}
@@ -0,0 +1,9 @@
<?php
$im = imagecreate(8, 8);
$im = imagescale($im, 0x100000001, 1);
var_dump($im);
if ($im) { // which is not supposed to happen
var_dump(imagesx($im));
}
?>
@@ -0,0 +1 @@
bool(false)
@@ -0,0 +1,4 @@
<?php
if (!extension_loaded('gd')) die('skip gd extension not available');
if (PHP_INT_SIZE != 8) die('skip this test is for 64bit platforms only');
?>

0 comments on commit 5d0afa0

Please sign in to comment.