Skip to content

Commit 750074b

Browse files
committed
Merge branch 'PHP-8.5'
* PHP-8.5: ext/standard: getimagesize()/getimagesizefromstring() overflow.
2 parents 9cefeea + 3372f2b commit 750074b

2 files changed

Lines changed: 27 additions & 0 deletions

File tree

ext/standard/image.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -876,6 +876,9 @@ static struct php_gfxinfo *php_handle_iff(php_stream * stream)
876876
return NULL;
877877
}
878878
if ((size & 1) == 1) {
879+
if (size == INT_MAX) {
880+
return NULL;
881+
}
879882
size++;
880883
}
881884
if (chunkId == 0x424d4844) { /* BMHD chunk */
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
--TEST--
2+
getimagesizefromstring() IFF chunk size integer overflow (GH-getimagesize_oflow)
3+
--CREDITS--
4+
Alexandre Daubois
5+
--FILE--
6+
<?php
7+
// IFF/ILBM with a chunk size of INT_MAX (0x7fffffff), an odd value.
8+
// The parser rounds odd chunk sizes up to even via size++, which overflowed
9+
// when size == INT_MAX. It must be handled gracefully rather than triggering UB.
10+
$payload = "FORM" . "\x00\x00\x00\x00" . "ILBM" . "ABCD" . "\x7f\xff\xff\xff";
11+
var_dump(getimagesizefromstring($payload));
12+
13+
// getimagesize() shares the same IFF parser through the file path.
14+
$file = __DIR__ . "/getimagesizefromstring_iff_overflow.iff";
15+
file_put_contents($file, $payload);
16+
var_dump(getimagesize($file));
17+
?>
18+
--CLEAN--
19+
<?php
20+
@unlink(__DIR__ . "/getimagesizefromstring_iff_overflow.iff");
21+
?>
22+
--EXPECT--
23+
bool(false)
24+
bool(false)

0 commit comments

Comments
 (0)