ext/gd: checking imagescale/imagefilter invalid values.

devnexen · devnexen · commit 639256b19255 · 2024-07-08T07:04:10.000+01:00
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
@@ -3645,6 +3645,16 @@ static void php_image_filter_scatter(INTERNAL_FUNCTION_PARAMETERS)
 		Z_PARAM_ARRAY(hash_colors)
 	ZEND_PARSE_PARAMETERS_END();
 
+	if (scatter_sub < 0 || ZEND_SIZE_T_INT_OVFL(scatter_sub)) {
+		zend_argument_value_error(3, "must be between 0 and %d", INT_MAX);
+		RETURN_THROWS();
+	}
+
+	if (scatter_plus < 0 || ZEND_SIZE_T_INT_OVFL(scatter_plus)) {
+		zend_argument_value_error(4, "must be between 0 and %d", INT_MAX);
+		RETURN_THROWS();
+	}
+
 	im = php_gd_libgdimageptr_from_zval_p(IM);
 
 	if (hash_colors) {
@@ -3939,6 +3949,12 @@ PHP_FUNCTION(imagescale)
 		Z_PARAM_LONG(tmp_h)
 		Z_PARAM_LONG(tmp_m)
 	ZEND_PARSE_PARAMETERS_END();
+
+	if (tmp_m < GD_DEFAULT || tmp_m >= GD_METHOD_COUNT) {
+		zend_argument_value_error(4, "must be one of the GD_* constants");
+		RETURN_THROWS();
+	}
+
 	method = tmp_m;
 
 	im = php_gd_libgdimageptr_from_zval_p(IM);
@@ -3958,10 +3974,17 @@ PHP_FUNCTION(imagescale)
 		}
 	}
 
-	if (tmp_h <= 0 || tmp_h > INT_MAX || tmp_w <= 0 || tmp_w > INT_MAX) {
-		RETURN_FALSE;
+	if (tmp_w <= 0 || ZEND_SIZE_T_INT_OVFL(tmp_w)) {
+		zend_argument_value_error(2, "must be between 1 and %d", INT_MAX);
+		RETURN_THROWS();
 	}
 
+	if (tmp_h <= 0 || ZEND_SIZE_T_INT_OVFL(tmp_h)) {
+		zend_argument_value_error(3, "must be between 1 and %d", INT_MAX);
+		RETURN_THROWS();
+	}
+
+
 	new_width = tmp_w;
 	new_height = tmp_h;
 
diff --git a/ext/gd/tests/bug72337.phpt b/ext/gd/tests/bug72337.phpt
@@ -5,8 +5,26 @@ gd
 --FILE--
 <?php
 $im = imagecreatetruecolor(1, 1);
-imagescale($im, 0, 0, IMG_BICUBIC_FIXED);
+try {
+	imagescale($im, 1, 1, -10);
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+try {
+	imagescale($im, 0, 1, 0);
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+try {
+	imagescale($im, 1, 0, 0);
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+imagescale($im, 1, 1, IMG_BICUBIC_FIXED);
 echo "OK";
 ?>
 --EXPECT--
+imagescale(): Argument #4 ($mode) must be one of the GD_* constants
+imagescale(): Argument #2 ($width) must be between 1 and 2147483647
+imagescale(): Argument #3 ($height) must be between 1 and 2147483647
 OK
diff --git a/ext/gd/tests/bug73957.phpt b/ext/gd/tests/bug73957.phpt
@@ -9,11 +9,14 @@ if (PHP_INT_SIZE != 8) die('skip this test is for 64bit platforms only');
 --FILE--
 <?php
 $im = imagecreate(8, 8);
-$im = imagescale($im, 0x100000001, 1);
-var_dump($im);
-if ($im) { // which is not supposed to happen
-    var_dump(imagesx($im));
+
+try {
+	$im = imagescale($im, 0x100000001, 1);
+	// which is not supposed to happen
+	var_dump(imagesx($im));
+} catch (\ValueError $e) {
+	echo $e->getMessage();
 }
 ?>
---EXPECT--
-bool(false)
+--EXPECTF--
+imagescale(): Argument #2 ($width) must be between 1 and %d
diff --git a/ext/gd/tests/imagefilter.phpt b/ext/gd/tests/imagefilter.phpt
@@ -94,8 +94,21 @@ $SOURCE_IMG = $SAVE_DIR . "/test.png";
     } else {
         echo "IMG_FILTER_SCATTER failed\n";
     }
+
+    foreach ([-1, PHP_INT_MAX] as $val) {
+        try {
+            imagefilter($im, IMG_FILTER_SCATTER, $val, 0);
+        } catch (\ValueError $e) {
+            echo $e->getMessage() . PHP_EOL;
+        }
+        try {
+            imagefilter($im, IMG_FILTER_SCATTER, 0, $val);
+        } catch (\ValueError $e) {
+            echo $e->getMessage() . PHP_EOL;
+        }
+    }
 ?>
---EXPECT--
+--EXPECTF--
 IMG_FILTER_NEGATE success
 IMG_FILTER_GRAYSCALE success
 IMG_FILTER_EDGEDETECT success
@@ -109,3 +122,6 @@ IMG_FILTER_CONTRAST success
 IMG_FILTER_BRIGHTNESS success
 IMG_FILTER_PIXELATE success
 IMG_FILTER_SCATTER success
+imagefilter(): Argument #3 must be between 0 and %d
+imagefilter(): Argument #4 must be between 0 and %d
+%A
