Fix #79877: getimagesize function silently truncates after a null byte

We have to check for NUL bytes if `getimagesize()` has been called.
2026-04-13 02:52:48 +02:00 · 2020-07-21 11:07:43 +02:00
parent 7355ab8176
commit ff577b04c0
2 changed files with 14 additions and 0 deletions
--- a/ext/standard/image.c
+++ b/ext/standard/image.c
@@ -1478,6 +1478,11 @@ static void php_getimagesize_from_any(INTERNAL_FUNCTION_PARAMETERS, int mode) {
 		Z_PARAM_ZVAL_DEREF(info)
 	ZEND_PARSE_PARAMETERS_END();

+	if (mode == FROM_PATH && CHECK_NULL_PATH(input, input_len)) {
+		php_error_docref(NULL, E_WARNING, "Invalid path");
+		return;
+	}
+
 	if (argc == 2) {
 		zval_ptr_dtor(info);
 		array_init(info);
--- a/ext/standard/tests/image/bug79877.phpt
+++ b/ext/standard/tests/image/bug79877.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #79877 (getimagesize function silently truncates after a null byte)
+--FILE--
+<?php
+var_dump(getimagesize("/tmp/a.png\0xx"));
+?>
+--EXPECTF--
+Warning: getimagesize(): Invalid path in %s on line %d
+NULL