Fix GH-16771: imagecreatefromstring overflow on invalid format.

devnexen · devnexen · commit 8d45c4fecd76 · 2024-11-13T07:26:24.000Z
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
@@ -1323,7 +1323,7 @@ static int _php_ctx_getmbi(gdIOCtx *ctx)
 
 	do {
 		i = (ctx->getC)(ctx);
-		if (i < 0) {
+		if (i < 0 || mbi > (INT_MAX >> 7)) {
 			return -1;
 		}
 		mbi = (mbi << 7) | (i & 0x7f);

Original file line number	Diff line number	Diff line change
`@@ -1323,7 +1323,7 @@ static int _php_ctx_getmbi(gdIOCtx *ctx)`
`1323`	`1323`
`1324`	`1324`	`do {`
`1325`	`1325`	`i = (ctx->getC)(ctx);`
`1326`		`- if (i < 0) {`
	`1326`	`+ if (i < 0 \|\| mbi > (INT_MAX >> 7)) {`
`1327`	`1327`	`return -1;`
`1328`	`1328`	`}`
`1329`	`1329`	`mbi = (mbi << 7) \| (i & 0x7f);`