From c85cc034775cdd29268b3706b0af180240384fb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1t=C3=A9=20Kocsis?= Date: Sat, 11 Feb 2023 22:00:37 +0100 Subject: [PATCH 1/2] Declare proper parameter default values for imagegd2 --- ext/gd/gd.c | 27 +++++++++------------------ ext/gd/gd.stub.php | 2 +- ext/gd/gd_arginfo.h | 6 +++--- 3 files changed, 13 insertions(+), 22 deletions(-) diff --git a/ext/gd/gd.c b/ext/gd/gd.c index ceb17d1597a29..7f4012effe1a3 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -1720,23 +1720,21 @@ static void _php_image_output(INTERNAL_FUNCTION_PARAMETERS, int image_type, char { zval *imgind; char *file = NULL; - zend_long quality = 0, type = 0; + zend_long quality = 128, type = 1; gdImagePtr im; FILE *fp; size_t file_len = 0; - int argc = ZEND_NUM_ARGS(); - int q = -1, t = 1; /* The quality parameter for gd2 stands for chunk size */ switch (image_type) { case PHP_GDIMG_TYPE_GD: - if (zend_parse_parameters(argc, "O|p!", &imgind, gd_image_ce, &file, &file_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "O|p!", &imgind, gd_image_ce, &file, &file_len) == FAILURE) { RETURN_THROWS(); } break; case PHP_GDIMG_TYPE_GD2: - if (zend_parse_parameters(argc, "O|p!ll", &imgind, gd_image_ce, &file, &file_len, &quality, &type) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "O|p!ll", &imgind, gd_image_ce, &file, &file_len, &quality, &type) == FAILURE) { RETURN_THROWS(); } break; @@ -1745,13 +1743,6 @@ static void _php_image_output(INTERNAL_FUNCTION_PARAMETERS, int image_type, char im = php_gd_libgdimageptr_from_zval_p(imgind); - if (argc >= 3) { - q = quality; - if (argc == 4) { - t = type; - } - } - if (file_len) { PHP_GD_CHECK_OPEN_BASEDIR(file, "Invalid filename"); @@ -1766,10 +1757,10 @@ static void _php_image_output(INTERNAL_FUNCTION_PARAMETERS, int image_type, char gdImageGd(im, fp); break; case PHP_GDIMG_TYPE_GD2: - if (q == -1) { - q = 128; + if (quality == -1) { + quality = 128; } - gdImageGd2(im, fp, q, t); + gdImageGd2(im, fp, quality, type); break; EMPTY_SWITCH_DEFAULT_CASE() } @@ -1792,10 +1783,10 @@ static void _php_image_output(INTERNAL_FUNCTION_PARAMETERS, int image_type, char gdImageGd(im, tmp); break; case PHP_GDIMG_TYPE_GD2: - if (q == -1) { - q = 128; + if (quality == -1) { + quality = 128; } - gdImageGd2(im, tmp, q, t); + gdImageGd2(im, tmp, quality, type); break; EMPTY_SWITCH_DEFAULT_CASE() } diff --git a/ext/gd/gd.stub.php b/ext/gd/gd.stub.php index e3b45cb12f8e7..9f7783e971759 100644 --- a/ext/gd/gd.stub.php +++ b/ext/gd/gd.stub.php @@ -628,7 +628,7 @@ function imagewbmp(GdImage $image, $file = null, ?int $foreground_color = null): function imagegd(GdImage $image, ?string $file = null): bool {} -function imagegd2(GdImage $image, ?string $file = null, int $chunk_size = UNKNOWN, int $mode = UNKNOWN): bool {} +function imagegd2(GdImage $image, ?string $file = null, int $chunk_size = 128, int $mode = IMG_GD2_RAW): bool {} #ifdef HAVE_GD_BMP /** @param resource|string|null $file */ diff --git a/ext/gd/gd_arginfo.h b/ext/gd/gd_arginfo.h index 8ef90f0fd4bf2..9804ca7f0ecba 100644 --- a/ext/gd/gd_arginfo.h +++ b/ext/gd/gd_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: 68be83247e5e142879ce1bc4340c1c5b8a8f670a */ + * Stub hash: 81ba6bf7b07027f6930db1c48a602f27724958af */ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_gd_info, 0, 0, IS_ARRAY, 0) ZEND_END_ARG_INFO() @@ -265,8 +265,8 @@ ZEND_END_ARG_INFO() ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_imagegd2, 0, 1, _IS_BOOL, 0) ZEND_ARG_OBJ_INFO(0, image, GdImage, 0) ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, file, IS_STRING, 1, "null") - ZEND_ARG_TYPE_INFO(0, chunk_size, IS_LONG, 0) - ZEND_ARG_TYPE_INFO(0, mode, IS_LONG, 0) + ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, chunk_size, IS_LONG, 0, "128") + ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, mode, IS_LONG, 0, "IMG_GD2_RAW") ZEND_END_ARG_INFO() #if defined(HAVE_GD_BMP) From 33d20dfff4ad55c77177208783d30aa807f358e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1t=C3=A9=20Kocsis?= Date: Mon, 20 Feb 2023 17:57:08 +0100 Subject: [PATCH 2/2] Introduce overflow/underflow check for quality param --- ext/gd/gd.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ext/gd/gd.c b/ext/gd/gd.c index 7f4012effe1a3..ef53592d3467d 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -1741,6 +1741,12 @@ static void _php_image_output(INTERNAL_FUNCTION_PARAMETERS, int image_type, char EMPTY_SWITCH_DEFAULT_CASE() } + /* quality must fit in an int */ + if (quality < INT_MIN || quality > INT_MAX) { + php_error_docref(NULL, E_WARNING, "Argument #3 ($chunk_size) must be between %d and %d", INT_MIN, INT_MAX); + RETURN_FALSE; + } + im = php_gd_libgdimageptr_from_zval_p(imgind); if (file_len) {