php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77272 imagescale() may return image resource on failure
Submitted: 2018-12-09 15:28 UTC Modified: 2019-01-10 12:11 UTC
From: cmb@php.net Assigned: cmb (profile)
Status: Closed Package: GD related
PHP Version: 7.2.13 OS: *
Private report: No CVE-ID: None
 [2018-12-09 15:28 UTC] cmb@php.net
Description:
------------
If either dimension of an image passed to imagescale() is greater
than or equal to 0x1000000‬, the image cannot be scaled, but still
gdImageScale() of the *bundled* libgd would return a (blank)
image.  This issue is fixed in upstream libgd as of 2.2.3.

Note that the reproduce script given below requires an appropriate
fix for bug #77269 regarding bundled libgd (otherwise we likely
hit a segfault), and a master build of upstream libgd (otherwise
the original image couldn't be allocated in the first place[1]).

[1] <https://github.com/libgd/libgd/commit/c3cf674cb444696a36f720f785878b41225af063>

Test script:
---------------
<?php
$img = imagecreate(2**28, 1);
var_dump(imagescale($img, 1, 1, IMG_TRIANGLE));


Expected result:
----------------
Warning: imagescale(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
 in %s on line %d
bool(false)


Actual result:
--------------
Warning: imagescale(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
 in %s on line %d
resource(%d) of type (gd)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-09 15:29 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2018-12-09 15:29 UTC] cmb@php.net
Actually, this is not a security issue, but nonetheless should
kept private until bug #77269 is resolved, since the reproduce
script would hint at that bug.
 [2018-12-09 15:29 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2019-01-10 13:27 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=772b1cb245ebe19e220a2552d1e2b700d15f2c68
Log: Fix #77272: imagescale() may return image resource on failure
 [2019-01-10 13:27 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 07:01:29 2024 UTC