Fix GH-16255: Unexpected nan value in ext/gd/libgd/gd_filter.c

Closes GH-17169.

Author: nielsdos

NEWS

@@ -17,6 +17,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-13437 (FPM: ERROR: scoreboard: failed to lock (already
     locked)). (Jakub Zelenka)
 
+- GD:
+  . Fixed bug GH-16255 (Unexpected nan value in ext/gd/libgd/gd_filter.c).
+    (nielsdos, cmb)
+
 - Iconv:
   . Fixed bug GH-17047 (UAF on iconv filter failure). (nielsdos)
 

ext/gd/gd.c

@@ -3433,7 +3433,24 @@ PHP_FUNCTION(imageconvolution)
 			}
 		}
 	}
-	res = gdImageConvolution(im_src, matrix, (float)div, (float)offset);
+
+	if (UNEXPECTED(!zend_finite(div))) {
+		zend_argument_value_error(3, "must be finite");
+		RETURN_THROWS();
+	}
+
+	float div_float = (float) div;
+	if (UNEXPECTED(div_float == 0.0f)) {
+		zend_argument_value_error(3, "must not be 0");
+		RETURN_THROWS();
+	}
+
+	if (UNEXPECTED(!zend_finite(offset))) {
+		zend_argument_value_error(4, "must be finite");
+		RETURN_THROWS();
+	}
+
+	res = gdImageConvolution(im_src, matrix, div_float, (float) offset);
 
 	if (res) {
 		RETURN_TRUE;

ext/gd/tests/gh16255.phpt

@@ -0,0 +1,34 @@
+--TEST--
+GH-16255 (Unexpected nan value in ext/gd/libgd/gd_filter.c)
+--EXTENSIONS--
+gd
+--CREDITS--
+cmb69
+--FILE--
+<?php
+$matrix = array(array(1, 0, 1), array(0, 5, 0), array(1, 0, 1));
+$im = imagecreatetruecolor(40, 40);
+
+try {
+    imageconvolution($im, $matrix, NAN, 1.0);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+try {
+    imageconvolution($im, $matrix,  2.225E-307, 1.0);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+try {
+    imageconvolution($im, $matrix, 1, NAN);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+imageconvolution(): Argument #3 ($divisor) must be finite
+imageconvolution(): Argument #3 ($divisor) must not be 0
+imageconvolution(): Argument #4 ($offset) must be finite