Merge branch 'PHP-8.3' into PHP-8.4

devnexen · devnexen · commit 215c61f9c7c4 · 2024-10-05T11:34:59.000+01:00
diff --git a/NEWS b/NEWS
@@ -51,6 +51,10 @@ PHP                                                                        NEWS
 - JSON:
   . Fixed bug GH-15168 (stack overflow in json_encode()). (nielsdos)
 
+- GD:
+  . Fixed bug 16232 (bitshift overflow on wbmp file content reading /
+    fix backport from upstream). (David Carlier)
+
 - LDAP:
   . Fixed bug GH-16032 (Various NULL pointer dereferencements in
     ldap_modify_batch()). (Girgias)
diff --git a/ext/gd/libgd/wbmp.c b/ext/gd/libgd/wbmp.c
@@ -37,7 +37,8 @@
 int
 getmbi (int (*getin) (void *in), void *in)
 {
-  int i, mbi = 0;
+  unsigned int mbi = 0;
+  int i;
 
   do
     {
diff --git a/ext/gd/tests/gh16232.phpt b/ext/gd/tests/gh16232.phpt
@@ -0,0 +1,27 @@
+--TEST--
+GH-16232 (Overflow on reading wbmp content)
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$good_webp = __DIR__ . '/src.wbmp';
+$bad_webp = __DIR__ . "/gh16232.webp";
+copy($good_webp, $bad_webp);
+var_dump(imagecreatefromwbmp($bad_webp));
+$data = file_get_contents($bad_webp);
+$data[3] = chr(-1);
+file_put_contents($bad_webp, $data);
+var_dump(imagecreatefromwbmp($bad_webp));
+$data[3] = chr(1000);
+file_put_contents($bad_webp, $data);
+var_dump(imagecreatefromwbmp($bad_webp));
+unlink($bad_webp);
+--EXPECTF--
+object(GdImage)#1 (0) {
+}
+
+Warning: imagecreatefromwbmp(): "%s" is not a valid WBMP file in %s on line %d
+bool(false)
+
+Warning: imagecreatefromwbmp(): "%s" is not a valid WBMP file in %s on line %d
+bool(false)

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,8 @@`
`37`	`37`	`int`
`38`	`38`	`getmbi (int (getin) (void in), void *in)`
`39`	`39`	`{`
`40`		`- int i, mbi = 0;`
	`40`	`+ unsigned int mbi = 0;`
	`41`	`+ int i;`
`41`	`42`
`42`	`43`	`do`
`43`	`44`	`{`