From 5e8f881b132d68ac1b58630f3a19f0b7c3ebc0bf Mon Sep 17 00:00:00 2001 From: David Carlier Date: Fri, 3 Jul 2026 13:36:48 +0100 Subject: [PATCH] ext/standard: getimagesizefromstring() overflow. close GH-22574 --- ext/standard/image.c | 2 +- .../image/getimagesizefromstring_iff_overflow.phpt | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 ext/standard/tests/image/getimagesizefromstring_iff_overflow.phpt diff --git a/ext/standard/image.c b/ext/standard/image.c index 15761364c341..0e6ee0897975 100644 --- a/ext/standard/image.c +++ b/ext/standard/image.c @@ -874,7 +874,7 @@ static struct gfxinfo *php_handle_iff(php_stream * stream) if (size < 0) { return NULL; } - if ((size & 1) == 1) { + if ((size & 1) == 1 && size < INT_MAX) { size++; } if (chunkId == 0x424d4844) { /* BMHD chunk */ diff --git a/ext/standard/tests/image/getimagesizefromstring_iff_overflow.phpt b/ext/standard/tests/image/getimagesizefromstring_iff_overflow.phpt new file mode 100644 index 000000000000..ed8f8d4b901b --- /dev/null +++ b/ext/standard/tests/image/getimagesizefromstring_iff_overflow.phpt @@ -0,0 +1,14 @@ +--TEST-- +getimagesizefromstring() IFF chunk size integer overflow (GH-getimagesize_oflow) +--CREDITS-- +Alexandre Daubois +--FILE-- + +--EXPECT-- +bool(false)