Merge branch 'PHP-8.3' into PHP-8.4

devnexen · devnexen · commit ec05cd559b31 · 2024-11-13T12:49:13.000Z
diff --git a/NEWS b/NEWS
@@ -11,6 +11,9 @@ PHP                                                                        NEWS
 - Curl:
   . Fixed bug GH-16723 (CURLMOPT_PUSHFUNCTION issues). (cmb)
 
+- GD:
+  . Fixed GH-16776 (imagecreatefromstring overflow). (David Carlier)
+
 - Hash:
   . Fixed GH-16711: Segfault in mhash(). (Girgias)
 
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
@@ -1366,7 +1366,7 @@ static int _php_ctx_getmbi(gdIOCtx *ctx)
 
 	do {
 		i = (ctx->getC)(ctx);
-		if (i < 0) {
+		if (i < 0 || mbi > (INT_MAX >> 7)) {
 			return -1;
 		}
 		mbi = (mbi << 7) | (i & 0x7f);
diff --git a/ext/gd/tests/gh16771.phpt b/ext/gd/tests/gh16771.phpt
@@ -0,0 +1,10 @@
+--TEST--
+GH-16771 (UBSan abort in ext/gd/libgd/gd.c:1372)
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$string_mb = base64_decode('5pel5pys6Kqe44OG44Kt44K544OIMzTvvJXvvJbml6XmnKzoqp7jg4bjgq3jgrnjg4g=');
+imagecreatefromstring($string_mb);
+--EXPECTF--
+Warning: imagecreatefromstring(): Data is not in a recognized format in %s on line %d

Original file line number	Diff line number	Diff line change
`@@ -1366,7 +1366,7 @@ static int _php_ctx_getmbi(gdIOCtx *ctx)`
`1366`	`1366`
`1367`	`1367`	`do {`
`1368`	`1368`	`i = (ctx->getC)(ctx);`
`1369`		`- if (i < 0) {`
	`1369`	`+ if (i < 0 \|\| mbi > (INT_MAX >> 7)) {`
`1370`	`1370`	`return -1;`
`1371`	`1371`	`}`
`1372`	`1372`	`mbi = (mbi << 7) \| (i & 0x7f);`