Fix #73957: signed integer conversion in imagescale()

We must not pass values to `gdImageScale()` which cannot be represented by an `unsigned int`. Instead we return FALSE, according to what we already did for negative integers.
php · Mar 9, 2018 · f1b358c · f1b358c
1 parent 34b9f9d
commit f1b358c
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 1 deletion.
diff --git a/NEWS b/NEWS
@@ -8,6 +8,9 @@ PHP                                                                        NEWS
   . Fixed bug #76044 ('date: illegal option -- -' in ./configure on FreeBSD).
     (Anatol)
 
+- GD:
+  . Fixed bug #73957 (signed integer conversion in imagescale()). (cmb)
+
 01 Mar 2018, PHP 7.1.15
 
 - Apache2Handler:

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
@@ -4720,7 +4720,7 @@ PHP_FUNCTION(imagescale)
 		}
 	}
 
-	if (tmp_h <= 0 || tmp_w <= 0) {
+	if (tmp_h <= 0 || tmp_h > INT_MAX || tmp_w <= 0 || tmp_w > INT_MAX) {
 		RETURN_FALSE;
 	}
 

diff --git a/ext/gd/tests/bug73957.phpt b/ext/gd/tests/bug73957.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #73957 (signed integer conversion in imagescale())
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+if (PHP_INT_SIZE != 8) die('skip this test is for 64bit platforms only');
+?>
+--FILE--
+<?php
+$im = imagecreate(8, 8);
+$im = imagescale($im, 0x100000001, 1);
+var_dump($im);
+if ($im) { // which is not supposed to happen
+    var_dump(imagesx($im));
+}
+?>
+===DONE===
+--EXPECT--
+bool(false)
+===DONE===