ext/gd: checking imagescale/imagefilter invalid values.

devnexen · devnexen · commit 7e973254d43a · 2024-07-07T17:31:05.000+01:00
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
@@ -3645,6 +3645,16 @@ static void php_image_filter_scatter(INTERNAL_FUNCTION_PARAMETERS)
 		Z_PARAM_ARRAY(hash_colors)
 	ZEND_PARSE_PARAMETERS_END();
 
+	if (ZEND_SIZE_T_INT_OVFL(scatter_sub)) {
+		zend_argument_value_error(3, "must not be greater than %d", INT_MAX);
+		RETURN_THROWS();
+	}
+
+	if (ZEND_SIZE_T_INT_OVFL(scatter_plus)) {
+		zend_argument_value_error(4, "must not be greater than %d", INT_MAX);
+		RETURN_THROWS();
+	}
+
 	im = php_gd_libgdimageptr_from_zval_p(IM);
 
 	if (hash_colors) {
@@ -3939,6 +3949,12 @@ PHP_FUNCTION(imagescale)
 		Z_PARAM_LONG(tmp_h)
 		Z_PARAM_LONG(tmp_m)
 	ZEND_PARSE_PARAMETERS_END();
+
+	if (tmp_m < GD_DEFAULT || tmp_m >= GD_METHOD_COUNT) {
+		zend_argument_value_error(4, "must be a valid mode");
+		RETURN_THROWS();
+	}
+
 	method = tmp_m;
 
 	im = php_gd_libgdimageptr_from_zval_p(IM);
@@ -3958,10 +3974,21 @@ PHP_FUNCTION(imagescale)
 		}
 	}
 
-	if (tmp_h <= 0 || tmp_h > INT_MAX || tmp_w <= 0 || tmp_w > INT_MAX) {
+	if (tmp_w <= 0) {
+		RETURN_FALSE;
+	} else if (ZEND_SIZE_T_INT_OVFL(tmp_w)) {
+		zend_argument_value_error(2, "must be lower or equal to %d", INT_MAX);
+		RETURN_THROWS();
+	}
+
+	if (tmp_h <= 0) {
 		RETURN_FALSE;
+	} else if (ZEND_SIZE_T_INT_OVFL(tmp_h)) {
+		zend_argument_value_error(3, "must be lower or equal to %d", INT_MAX);
+		RETURN_THROWS();
 	}
 
+
 	new_width = tmp_w;
 	new_height = tmp_h;
 
diff --git a/ext/gd/tests/bug72337.phpt b/ext/gd/tests/bug72337.phpt
@@ -5,8 +5,14 @@ gd
 --FILE--
 <?php
 $im = imagecreatetruecolor(1, 1);
+try {
+	imagescale($im, 0, 0, -10);
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
 imagescale($im, 0, 0, IMG_BICUBIC_FIXED);
 echo "OK";
 ?>
 --EXPECT--
+imagescale(): Argument #4 ($mode) must be a valid mode
 OK
diff --git a/ext/gd/tests/bug73957.phpt b/ext/gd/tests/bug73957.phpt
@@ -9,11 +9,14 @@ if (PHP_INT_SIZE != 8) die('skip this test is for 64bit platforms only');
 --FILE--
 <?php
 $im = imagecreate(8, 8);
-$im = imagescale($im, 0x100000001, 1);
-var_dump($im);
-if ($im) { // which is not supposed to happen
-    var_dump(imagesx($im));
+
+try {
+	$im = imagescale($im, 0x100000001, 1);
+	// which is not supposed to happen
+	var_dump(imagesx($im));
+} catch (\ValueError $e) {
+	echo $e->getMessage();
 }
 ?>
---EXPECT--
-bool(false)
+--EXPECTF--
+imagescale(): Argument #2 ($width) must be lower or equal to %d
