Skip to content

Commit 3a5c87f

Browse files
devnexendevnexen
committed
Merge branch 'PHP-8.3' into PHP-8.4
2 parents 2b98408 + a162004 commit 3a5c87f

File tree

3 files changed

+69
-0
lines changed

3 files changed

+69
-0
lines changed

NEWS

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ PHP NEWS
77
evaluation). (ilutov)
88
. Fixed bug GH-18038 (Lazy proxy calls magic methods twice). (Arnaud)
99

10+
- GD:
11+
. Fixed imagecrop() overflow with rect argument with x/width y/heigh usage
12+
in gdImageCrop(). (David Carlier)
13+
1014
- Standard:
1115
. Fixed bug GH-18145 (php8ts crashes in php_clear_stat_cache()).
1216
(Jakub Zelenka)

ext/gd/gd.c

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3894,6 +3894,26 @@ PHP_FUNCTION(imagecrop)
38943894
RETURN_THROWS();
38953895
}
38963896

3897+
if ((rect.width > 0 && rect.x > INT_MAX - rect.width)) {
3898+
zend_argument_value_error(2, "overflow with \"x\" and \"width\" keys");
3899+
RETURN_THROWS();
3900+
}
3901+
3902+
if ((rect.width < 0 && rect.x < INT_MIN - rect.width)) {
3903+
zend_argument_value_error(2, "underflow with \"x\" and \"width\" keys");
3904+
RETURN_THROWS();
3905+
}
3906+
3907+
if ((rect.height > 0 && rect.y > INT_MAX - rect.height)) {
3908+
zend_argument_value_error(2, "overflow with \"y\" and \"height\" keys");
3909+
RETURN_THROWS();
3910+
}
3911+
3912+
if ((rect.height < 0 && rect.y < INT_MIN - rect.height)) {
3913+
zend_argument_value_error(2, "underflow with \"y\" and \"height\" keys");
3914+
RETURN_THROWS();
3915+
}
3916+
38973917
im_crop = gdImageCrop(im, &rect);
38983918

38993919
if (im_crop == NULL) {

ext/gd/tests/imagecrop_overflow.phpt

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
--TEST--
2+
imagecrop() overflows when the combo x/width or y/height is over INT_MAX or under INT_MIN.
3+
--EXTENSIONS--
4+
gd
5+
--FILE--
6+
<?php
7+
$img = imagecreatetruecolor(10, 10);
8+
9+
$arr = ["x" => 2147483647, "y" => 2147483647, "width" => 10, "height" => 10];
10+
11+
try {
12+
imagecrop($img, $arr);
13+
} catch (\ValueError $e) {
14+
echo $e->getMessage() . PHP_EOL;
15+
}
16+
17+
$arr = ["x" => -2147483648, "y" => 0, "width" => -10, "height" => 10];
18+
19+
try {
20+
imagecrop($img, $arr);
21+
} catch (\ValueError $e) {
22+
echo $e->getMessage() . PHP_EOL;
23+
}
24+
25+
$arr = ["x" => 1, "y" => 2147483647, "width" => 10, "height" => 10];
26+
27+
try {
28+
imagecrop($img, $arr);
29+
} catch (\ValueError $e) {
30+
echo $e->getMessage() . PHP_EOL;
31+
}
32+
33+
$arr = ["x" => 1, "y" => -2147483648, "width" => 10, "height" => -10];
34+
35+
try {
36+
imagecrop($img, $arr);
37+
} catch (\ValueError $e) {
38+
echo $e->getMessage();
39+
}
40+
?>
41+
--EXPECT--
42+
imagecrop(): Argument #2 ($rectangle) overflow with "x" and "width" keys
43+
imagecrop(): Argument #2 ($rectangle) underflow with "x" and "width" keys
44+
imagecrop(): Argument #2 ($rectangle) overflow with "y" and "height" keys
45+
imagecrop(): Argument #2 ($rectangle) underflow with "y" and "height" keys

0 commit comments

Comments
 (0)