Fix GH-16322: imageaffine overflow on affine argument.#16334
Fix GH-16322: imageaffine overflow on affine argument.#16334devnexen wants to merge 2 commits intophp:PHP-8.2from
Conversation
bc91602 to
2a070dc
Compare
ext/gd/gd.c
Outdated
| break; | ||
| case IS_DOUBLE: | ||
| affine[i] = Z_DVAL_P(zval_affine_elem); | ||
| if (ZEND_LONG_EXCEEDS_INT(affine[i])) { |
There was a problem hiding this comment.
I don't think this will work on 32bit platforms, since ZEND_LONG_EXCEEDS_INT() is a no-op there, but users can pass a matrix like [9223372036854775807., 1, 1, 1, 1, 1]. Same for the IS_STRING case below.
There was a problem hiding this comment.
you re right I always forget.
cmb69
left a comment
There was a problem hiding this comment.
Thank you! Looks generally good to me, and I don't see any particular issues with constraining the range of the matrix elements.
| case IS_LONG: | ||
| affine[i] = Z_LVAL_P(zval_affine_elem); | ||
| affine[i] = Z_LVAL_P(zval_affine_elem); | ||
| if (affine[i] < INT_MIN || affine[i] > INT_MAX) { |
There was a problem hiding this comment.
This guard could use ZEND_LONG_EXCEEDS_INT(), but for consistency it maybe better this way (and the compiler will optimize away anyway).
ext/gd/tests/gh16322.phpt
Outdated
| --INI-- | ||
| memory_limit=-1 | ||
| --SKIPIF-- | ||
| <?php if (PHP_INT_SIZE != 8) die('skip this test is for 64bit platforms only'); ?> |
There was a problem hiding this comment.
The test could make sense on 32bit platforms, too, if instead of PHP_INT_MIN and PHP_INT_MAX doubles would be used.
No description provided.