From c8e13af4558659ba91cec07e502733e127dcb1ce Mon Sep 17 00:00:00 2001 From: David Carlier Date: Fri, 28 Nov 2025 12:40:33 +0000 Subject: [PATCH] Fix GH-20602: imagescale() overflow with large height values. close GH-20605 --- NEWS | 2 ++ ext/gd/gd.c | 8 ++++++++ ext/gd/tests/gh20602.phpt | 22 ++++++++++++++++++++++ 3 files changed, 32 insertions(+) create mode 100644 ext/gd/tests/gh20602.phpt diff --git a/NEWS b/NEWS index 863d672d736..214f1105b5c 100644 --- a/NEWS +++ b/NEWS @@ -27,6 +27,8 @@ PHP NEWS - GD: . Fixed bug GH-20511 (imagegammacorrect out of range input/output values). (David Carlier) + . Fixed bug GH-20602 (imagescale overflow with large height values). + (David Carlier) - LibXML: . Fix some deprecations on newer libxml versions regarding input diff --git a/ext/gd/gd.c b/ext/gd/gd.c index 558d0764d66..925d64f01c5 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -3689,9 +3689,17 @@ PHP_FUNCTION(imagescale) src_y = gdImageSY(im); if (src_x && tmp_h < 0) { + if (tmp_w > (ZEND_LONG_MAX / src_y)) { + zend_argument_value_error(2, "must be less than or equal to " ZEND_LONG_FMT, (zend_long)(ZEND_LONG_MAX / src_y)); + RETURN_THROWS(); + } tmp_h = tmp_w * src_y / src_x; } if (src_y && tmp_w < 0) { + if (tmp_h > (ZEND_LONG_MAX / src_x)) { + zend_argument_value_error(3, "must be less than or equal to " ZEND_LONG_FMT, (zend_long)(ZEND_LONG_MAX / src_x)); + RETURN_THROWS(); + } tmp_w = tmp_h * src_x / src_y; } } diff --git a/ext/gd/tests/gh20602.phpt b/ext/gd/tests/gh20602.phpt new file mode 100644 index 00000000000..29c781e76a2 --- /dev/null +++ b/ext/gd/tests/gh20602.phpt @@ -0,0 +1,22 @@ +--TEST-- +GH-20551: (imagegammacorrect out of range input/output value) +--EXTENSIONS-- +gd +--FILE-- +getMessage(), PHP_EOL; +} +try { + imagescale($im, -1, PHP_INT_MAX); +} catch (\ValueError $e) { + echo $e->getMessage(), PHP_EOL; +} +?> +--EXPECTF-- +imagescale(): Argument #2 ($width) must be less than or equal to %d +imagescale(): Argument #3 ($height) must be less than or equal to %d