Commit f08491bf08c for php.net

commit f08491bf08cda0b490b20e07a33c4b82e8dd2543
Author: David Carlier <devnexen@gmail.com>
Date:   Fri Jul 3 13:36:48 2026 +0100

    ext/standard: getimagesize()/getimagesizefromstring() overflow.

    close GH-22574

diff --git a/NEWS b/NEWS
index d950ce969fc..41fc6d053bc 100644
--- a/NEWS
+++ b/NEWS
@@ -70,6 +70,8 @@ PHP                                                                        NEWS
     incremental flush). (David Carlier)
   . Fixed bug GH-22395 (base_convert() outputs at most 64 characters).
     (Weilin Du)
+  . Fixed integer overflow in getimagesize() and getimagesizefromstring()
+    when parsing an IFF chunk with a size of INT_MAX. (David Carlier, Weilin Du)

 - Zip:
   . Fixed bug GH-21705 (ZipArchive::getFromIndex() ignores
diff --git a/ext/standard/image.c b/ext/standard/image.c
index 15761364c34..4709b93d0a5 100644
--- a/ext/standard/image.c
+++ b/ext/standard/image.c
@@ -875,6 +875,9 @@ static struct gfxinfo *php_handle_iff(php_stream * stream)
 			return NULL;
 		}
 		if ((size & 1) == 1) {
+			if (size == INT_MAX) {
+				return NULL;
+			}
 			size++;
 		}
 		if (chunkId == 0x424d4844) { /* BMHD chunk */
diff --git a/ext/standard/tests/image/getimagesizefromstring_iff_overflow.phpt b/ext/standard/tests/image/getimagesizefromstring_iff_overflow.phpt
new file mode 100644
index 00000000000..f6fdea9d8e6
--- /dev/null
+++ b/ext/standard/tests/image/getimagesizefromstring_iff_overflow.phpt
@@ -0,0 +1,24 @@
+--TEST--
+getimagesizefromstring() IFF chunk size integer overflow (GH-getimagesize_oflow)
+--CREDITS--
+Alexandre Daubois
+--FILE--
+<?php
+// IFF/ILBM with a chunk size of INT_MAX (0x7fffffff), an odd value.
+// The parser rounds odd chunk sizes up to even via size++, which overflowed
+// when size == INT_MAX. It must be handled gracefully rather than triggering UB.
+$payload = "FORM" . "\x00\x00\x00\x00" . "ILBM" . "ABCD" . "\x7f\xff\xff\xff";
+var_dump(getimagesizefromstring($payload));
+
+// getimagesize() shares the same IFF parser through the file path.
+$file = __DIR__ . "/getimagesizefromstring_iff_overflow.iff";
+file_put_contents($file, $payload);
+var_dump(getimagesize($file));
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . "/getimagesizefromstring_iff_overflow.iff");
+?>
+--EXPECT--
+bool(false)
+bool(false)