ext/gd: calls with array types check strengthening.

devnexen · devnexen · commit 836241cf904a · 2025-03-08T19:24:44.000Z
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
@@ -652,7 +652,15 @@ PHP_FUNCTION(imagesetstyle)
 	stylearr = safe_emalloc(sizeof(int), num_styles, 0);
 
 	ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(styles), item) {
-		stylearr[index++] = zval_get_long(item);
+		bool failed = false;
+		ZVAL_DEREF(item);
+		zend_long tmp = zval_try_get_long(item, &failed);
+		if (failed) {
+			efree(stylearr);
+			zend_argument_value_error(2, "value must be of type int, %s given", zend_zval_type_name(item));
+			RETURN_THROWS();
+		}
+		stylearr[index++] = tmp;
 	} ZEND_HASH_FOREACH_END();
 
 	gdImageSetStyle(im, stylearr, index);
@@ -3648,7 +3656,20 @@ static void php_image_filter_scatter(INTERNAL_FUNCTION_PARAMETERS)
 		colors = emalloc(num_colors * sizeof(int));
 
 		ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(hash_colors), color) {
-			*(colors + i++) = (int) zval_get_long(color);
+			bool failed = false;
+			ZVAL_DEREF(color);
+			zend_long tmp = zval_try_get_long(color, &failed);
+			if (failed) {
+				efree(colors);
+				zend_argument_value_error(5, "value must be of type int, %s given", zend_zval_type_name(color));
+				RETURN_THROWS();
+			}
+			if (tmp < 0 || ZEND_LONG_INT_OVFL(tmp)) {
+				efree(colors);
+				zend_argument_value_error(5, "value must be between 0 and %d", INT_MAX);
+				RETURN_THROWS();
+			}
+			*(colors + i++) = (int) tmp;
 		} ZEND_HASH_FOREACH_END();
 
 		RETVAL_BOOL(gdImageScatterColor(im, (int)scatter_sub, (int)scatter_plus, colors, num_colors));
@@ -3831,6 +3852,7 @@ PHP_FUNCTION(imagecrop)
 	gdRect rect;
 	zval *z_rect;
 	zval *tmp;
+	zend_long r;
 
 	ZEND_PARSE_PARAMETERS_START(2, 2)
 		Z_PARAM_OBJECT_OF_CLASS(IM, gd_image_ce)
@@ -3840,28 +3862,48 @@ PHP_FUNCTION(imagecrop)
 	im = php_gd_libgdimageptr_from_zval_p(IM);
 
 	if ((tmp = zend_hash_str_find(Z_ARRVAL_P(z_rect), "x", sizeof("x") -1)) != NULL) {
-		rect.x = zval_get_long(tmp);
+		r = zval_get_long(tmp);
+		if (ZEND_LONG_EXCEEDS_INT(r)) {
+			zend_argument_value_error(2, "\"x\" key must be between %d and %d\n", INT_MIN, INT_MAX);
+			RETURN_THROWS();
+		}
+		rect.x = (int)r;
 	} else {
 		zend_argument_value_error(2, "must have an \"x\" key");
 		RETURN_THROWS();
 	}
 
 	if ((tmp = zend_hash_str_find(Z_ARRVAL_P(z_rect), "y", sizeof("y") - 1)) != NULL) {
-		rect.y = zval_get_long(tmp);
+		r = zval_get_long(tmp);
+		if (ZEND_LONG_EXCEEDS_INT(r)) {
+			zend_argument_value_error(2, "\"y\" key must be between %d and %d\n", INT_MIN, INT_MAX);
+			RETURN_THROWS();
+		}
+		rect.y = (int)r;
 	} else {
 		zend_argument_value_error(2, "must have a \"y\" key");
 		RETURN_THROWS();
 	}
 
 	if ((tmp = zend_hash_str_find(Z_ARRVAL_P(z_rect), "width", sizeof("width") - 1)) != NULL) {
-		rect.width = zval_get_long(tmp);
+		r = zval_get_long(tmp);
+		if (ZEND_LONG_EXCEEDS_INT(r)) {
+			zend_argument_value_error(2, "\"width\" key must be between %d and %d\n", INT_MIN, INT_MAX);
+			RETURN_THROWS();
+		}
+		rect.width = (int)r;
 	} else {
 		zend_argument_value_error(2, "must have a \"width\" key");
 		RETURN_THROWS();
 	}
 
 	if ((tmp = zend_hash_str_find(Z_ARRVAL_P(z_rect), "height", sizeof("height") - 1)) != NULL) {
-		rect.height = zval_get_long(tmp);
+		r = zval_get_long(tmp);
+		if (ZEND_LONG_EXCEEDS_INT(r)) {
+			zend_argument_value_error(2, "\"height\" key must be between %d and %d\n", INT_MIN, INT_MAX);
+			RETURN_THROWS();
+		}
+		rect.height = (int)r;
 	} else {
 		zend_argument_value_error(2, "must have a \"height\" key");
 		RETURN_THROWS();
