From 1fc083e526f218b344946985800f7153d31eef3a Mon Sep 17 00:00:00 2001
From: David CARLIER <devnexen@gmail.com>
Date: Sun, 16 Jun 2024 23:28:04 +0100
Subject: [PATCH] ext/gd: iamgeresolution checks overflow. (#14585)

---
 ext/gd/gd.c                             | 16 ++++++++++++
 ext/gd/tests/imageresolution_basic.phpt | 34 +++++++++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 ext/gd/tests/imageresolution_basic.phpt

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index b655f13296c..eb282ec2328 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -4282,12 +4282,28 @@ PHP_FUNCTION(imageresolution)
 	im = php_gd_libgdimageptr_from_zval_p(IM);
 
 	if (!res_x_is_null && !res_y_is_null) {
+		if (res_x < 0 || ZEND_SIZE_T_UINT_OVFL(res_x)) {
+			zend_argument_value_error(2, "must be between 0 and %u", UINT_MAX);
+			RETURN_THROWS();
+		}
+		if (res_y < 0 || ZEND_SIZE_T_UINT_OVFL(res_y)) {
+			zend_argument_value_error(3, "must be between 0 and %u", UINT_MAX);
+			RETURN_THROWS();
+		}
 		gdImageSetResolution(im, res_x, res_y);
 		RETURN_TRUE;
 	} else if (!res_x_is_null && res_y_is_null) {
+		if (res_x < 0 || ZEND_SIZE_T_UINT_OVFL(res_x)) {
+			zend_argument_value_error(2, "must be between 0 and %u", UINT_MAX);
+			RETURN_THROWS();
+		}
 		gdImageSetResolution(im, res_x, res_x);
 		RETURN_TRUE;
 	} else if (res_x_is_null && !res_y_is_null) {
+		if (res_y < 0 || ZEND_SIZE_T_UINT_OVFL(res_y)) {
+			zend_argument_value_error(3, "must be between 0 and %u", UINT_MAX);
+			RETURN_THROWS();
+		}
 		gdImageSetResolution(im, res_y, res_y);
 		RETURN_TRUE;
 	}
diff --git a/ext/gd/tests/imageresolution_basic.phpt b/ext/gd/tests/imageresolution_basic.phpt
new file mode 100644
index 00000000000..74dc8c59dcd
--- /dev/null
+++ b/ext/gd/tests/imageresolution_basic.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Wrong image resolution
+--EXTENSIONS--
+gd
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE != 8) die("skip on non 64 bits architectures");
+?>
+--FILE--
+<?php
+$filename = __DIR__ . DIRECTORY_SEPARATOR . 'imageresolution_png.png';
+
+$exp = imagecreate(100, 100);
+imagecolorallocate($exp, 255, 127, 64);
+
+$res = imageresolution($exp);
+
+try {
+	imageresolution($exp, PHP_INT_MAX);
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+try {
+	imageresolution($exp, 127, -PHP_INT_MAX);
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+imageresolution($exp, 0, 0);
+var_dump(imageresolution($exp) == $res);
+?>
+--EXPECTF--
+imageresolution(): Argument #2 ($resolution_x) must be between 0 and %d
+imageresolution(): Argument #3 ($resolution_y) must be between 0 and %d
+bool(true)