Fix GH-16232: bitshift overflow on wbmp file content reading.

backport from a8f1d5cab0 close GH-16239
2026-03-24 00:02:20 +01:00 · 2024-10-05 06:27:19 +01:00
parent f4d2dd038b
commit 54973c9366
3 changed files with 33 additions and 1 deletions
--- a/4
+++ b/4
@@ -31,6 +31,10 @@ PHP                                                                        NEWS
  . Fixed bug GH-16151 (Assertion failure in ext/dom/parentnode/tree.c).
    (nielsdos)

+- GD:
+  . Fixed bug 16232 (bitshift overflow on wbmp file content reading /
+    fix backport from upstream). (David Carlier)
+
 - LDAP:
  . Fixed bug GH-16032 (Various NULL pointer dereferencements in
    ldap_modify_batch()). (Girgias)
--- a/ext/gd/libgd/wbmp.c
+++ b/ext/gd/libgd/wbmp.c
@@ -37,7 +37,8 @@
 int
 getmbi (int (*getin) (void *in), void *in)
 {
-  int i, mbi = 0;
+  unsigned int mbi = 0;
+  int i;

  do
    {
--- a/ext/gd/tests/gh16232.phpt
+++ b/ext/gd/tests/gh16232.phpt
@@ -0,0 +1,27 @@
+--TEST--
+GH-16232 (Overflow on reading wbmp content)
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$good_webp = __DIR__ . '/src.wbmp';
+$bad_webp = __DIR__ . "/gh16232.webp";
+copy($good_webp, $bad_webp);
+var_dump(imagecreatefromwbmp($bad_webp));
+$data = file_get_contents($bad_webp);
+$data[3] = chr(-1);
+file_put_contents($bad_webp, $data);
+var_dump(imagecreatefromwbmp($bad_webp));
+$data[3] = chr(1000);
+file_put_contents($bad_webp, $data);
+var_dump(imagecreatefromwbmp($bad_webp));
+unlink($bad_webp);
+--EXPECTF--
+object(GdImage)#1 (0) {
+}
+
+Warning: imagecreatefromwbmp(): "%s" is not a valid WBMP file in %s on line %d
+bool(false)
+
+Warning: imagecreatefromwbmp(): "%s" is not a valid WBMP file in %s on line %d
+bool(false)