Skip to content

Commit 8512e4c

Browse files
committed
ext/standard: getimagesizefromstring() overflow.
1 parent 86d78cc commit 8512e4c

2 files changed

Lines changed: 15 additions & 1 deletion

File tree

ext/standard/image.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -871,7 +871,7 @@ static struct gfxinfo *php_handle_iff(php_stream * stream)
871871
}
872872
chunkId = php_ifd_get32s(a+0, 1);
873873
size = php_ifd_get32s(a+4, 1);
874-
if (size < 0) {
874+
if (size < 0 || size == INT_MAX) {
875875
return NULL;
876876
}
877877
if ((size & 1) == 1) {
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
--TEST--
2+
getimagesizefromstring() IFF chunk size integer overflow (GH-getimagesize_oflow)
3+
--CREDITS--
4+
Alexandre Daubois
5+
--FILE--
6+
<?php
7+
// IFF/ILBM with a chunk size of INT_MAX (0x7fffffff), an odd value.
8+
// The parser rounds odd chunk sizes up to even via size++, which overflowed
9+
// when size == INT_MAX. It must be handled gracefully rather than triggering UB.
10+
$payload = "FORM" . "\x00\x00\x00\x00" . "ILBM" . "ABCD" . "\x7f\xff\xff\xff";
11+
var_dump(getimagesizefromstring($payload));
12+
?>
13+
--EXPECT--
14+
bool(false)

0 commit comments

Comments
 (0)