diff --git a/ext/standard/image.c b/ext/standard/image.c index 15761364c341..0e6ee0897975 100644 --- a/ext/standard/image.c +++ b/ext/standard/image.c @@ -874,7 +874,7 @@ static struct gfxinfo *php_handle_iff(php_stream * stream) if (size < 0) { return NULL; } - if ((size & 1) == 1) { + if ((size & 1) == 1 && size < INT_MAX) { size++; } if (chunkId == 0x424d4844) { /* BMHD chunk */ diff --git a/ext/standard/tests/image/getimagesizefromstring_iff_overflow.phpt b/ext/standard/tests/image/getimagesizefromstring_iff_overflow.phpt new file mode 100644 index 000000000000..ed8f8d4b901b --- /dev/null +++ b/ext/standard/tests/image/getimagesizefromstring_iff_overflow.phpt @@ -0,0 +1,14 @@ +--TEST-- +getimagesizefromstring() IFF chunk size integer overflow (GH-getimagesize_oflow) +--CREDITS-- +Alexandre Daubois +--FILE-- + +--EXPECT-- +bool(false)