Commit c8e13af4558 for php.net
commit c8e13af4558659ba91cec07e502733e127dcb1ce
Author: David Carlier <devnexen@gmail.com>
Date: Fri Nov 28 12:40:33 2025 +0000
Fix GH-20602: imagescale() overflow with large height values.
close GH-20605
diff --git a/NEWS b/NEWS
index 863d672d736..214f1105b5c 100644
--- a/NEWS
+++ b/NEWS
@@ -27,6 +27,8 @@ PHP NEWS
- GD:
. Fixed bug GH-20511 (imagegammacorrect out of range input/output values).
(David Carlier)
+ . Fixed bug GH-20602 (imagescale overflow with large height values).
+ (David Carlier)
- LibXML:
. Fix some deprecations on newer libxml versions regarding input
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 558d0764d66..925d64f01c5 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -3689,9 +3689,17 @@ PHP_FUNCTION(imagescale)
src_y = gdImageSY(im);
if (src_x && tmp_h < 0) {
+ if (tmp_w > (ZEND_LONG_MAX / src_y)) {
+ zend_argument_value_error(2, "must be less than or equal to " ZEND_LONG_FMT, (zend_long)(ZEND_LONG_MAX / src_y));
+ RETURN_THROWS();
+ }
tmp_h = tmp_w * src_y / src_x;
}
if (src_y && tmp_w < 0) {
+ if (tmp_h > (ZEND_LONG_MAX / src_x)) {
+ zend_argument_value_error(3, "must be less than or equal to " ZEND_LONG_FMT, (zend_long)(ZEND_LONG_MAX / src_x));
+ RETURN_THROWS();
+ }
tmp_w = tmp_h * src_x / src_y;
}
}
diff --git a/ext/gd/tests/gh20602.phpt b/ext/gd/tests/gh20602.phpt
new file mode 100644
index 00000000000..29c781e76a2
--- /dev/null
+++ b/ext/gd/tests/gh20602.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GH-20551: (imagegammacorrect out of range input/output value)
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$im = imagecreatetruecolor(16, 16);
+
+try {
+ imagescale($im, PHP_INT_MAX, -1);
+} catch (\ValueError $e) {
+ echo $e->getMessage(), PHP_EOL;
+}
+try {
+ imagescale($im, -1, PHP_INT_MAX);
+} catch (\ValueError $e) {
+ echo $e->getMessage(), PHP_EOL;
+}
+?>
+--EXPECTF--
+imagescale(): Argument #2 ($width) must be less than or equal to %d
+imagescale(): Argument #3 ($height) must be less than or equal to %d