Fix #77479: imagewbmp() segfaults with very large images

We must not proceed working with the Wbmp structure, if it hasn't been allocated.
php · Jan 19, 2019 · 44fa0b0 · 44fa0b0
1 parent dbe7f2a
commit 44fa0b0
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/NEWS b/NEWS
@@ -14,6 +14,7 @@ PHP                                                                        NEWS
   . Fixed bug #73614 (gdImageFilledArc() doesn't properly draw pies). (cmb)
   . Fixed bug #77272 (imagescale() may return image resource on failure). (cmb)
   . Fixed bug #77391 (1bpp BMPs may fail to be loaded). (Romain Déoux, cmb)
+  . Fixed bug #77479 (imagewbmp() segfaults with very large images). (cmb)
 
 - Mbstring:
   . Fixed bug #77454 (mb_scrub() silently truncates after a null byte).

diff --git a/ext/gd/libgd/gd_wbmp.c b/ext/gd/libgd/gd_wbmp.c
@@ -100,6 +100,7 @@ void gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out)
 	/* create the WBMP */
 	if ((wbmp = createwbmp (gdImageSX (image), gdImageSY (image), WBMP_WHITE)) == NULL) {
 		gd_error("Could not create WBMP");
+		return;
 	}
 
 	/* fill up the WBMP structure */

diff --git a/ext/gd/tests/bug77479.phpt b/ext/gd/tests/bug77479.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Bug #77479 (imagewbmp() segfaults with very large image)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
+?>
+--INI--
+memory_limit=-1
+--FILE--
+<?php
+$im = imagecreate(40000, 20000);
+imagecolorallocate($im, 0, 0, 0);
+imagewbmp($im, __DIR__ . '/77479.wbmp');
+?>
+===DONE===
+--EXPECTF--
+Warning: imagewbmp(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+ in %s on line %d
+
+Warning: imagewbmp(): Could not create WBMP in %s on line %d
+===DONE===
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/77479.wbmp');
+?>