Skip to content

Commit fe8dffe

Browse files
devnexendevnexen
committed
Fixed GH-18243: imagettftext underflow/overflow on size argument.
close GH-18245
1 parent 821e346 commit fe8dffe

File tree

3 files changed

+55
-0
lines changed

3 files changed

+55
-0
lines changed

NEWS

+2
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@ PHP NEWS
55
- GD:
66
. Fixed imagecrop() overflow with rect argument with x/width y/heigh usage
77
in gdImageCrop(). (David Carlier)
8+
. Fixed GH-18243 imagettftext() overflow/underflow on font size value.
9+
(David Carlier)
810

911
- OpenSSL:
1012
. Fix memory leak in openssl_sign() when passing invalid algorithm.

ext/gd/gd.c

+11
Original file line numberDiff line numberDiff line change
@@ -3082,6 +3082,17 @@ static void php_imagettftext_common(INTERNAL_FUNCTION_PARAMETERS, int mode)
30823082
im = php_gd_libgdimageptr_from_zval_p(IM);
30833083
}
30843084

3085+
// FT_F26Dot6 is a signed long alias
3086+
if (ptsize < (double)LONG_MIN / 64 || ptsize > (double)LONG_MAX / 64) {
3087+
zend_argument_value_error(2, "must be between " ZEND_LONG_FMT " and " ZEND_LONG_FMT, (zend_long)((double)LONG_MIN / 64), (zend_long)((double)LONG_MAX / 64));
3088+
RETURN_THROWS();
3089+
}
3090+
3091+
if (UNEXPECTED(!zend_finite(ptsize))) {
3092+
zend_argument_value_error(2, "must be finite");
3093+
RETURN_THROWS();
3094+
}
3095+
30853096
/* convert angle to radians */
30863097
angle = angle * (M_PI/180);
30873098

ext/gd/tests/gh18243.phpt

+42
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
--TEST--
2+
GH-18243: imagefttext underflow/overflow on $size
3+
--EXTENSIONS--
4+
gd
5+
--SKIPIF--
6+
<?php
7+
if(!function_exists('imagettftext')) die('skip imagettftext() not available');
8+
?>
9+
--FILE--
10+
<?php
11+
$font = __DIR__.'/Rochester-Regular.otf';
12+
$im = imagecreatetruecolor(100, 80);
13+
14+
try {
15+
imagettftext($im, PHP_INT_MAX, 0, 15, 60, 0, $font, "");
16+
} catch (\ValueError $e) {
17+
echo $e->getMessage(), PHP_EOL;
18+
}
19+
20+
try {
21+
imagettftext($im, PHP_INT_MIN, 0, 15, 60, 0, $font, "");
22+
} catch (\ValueError $e) {
23+
echo $e->getMessage(), PHP_EOL;
24+
}
25+
26+
try {
27+
imagettftext($im, NAN, 0, 15, 60, 0, $font, "");
28+
} catch (\ValueError $e) {
29+
echo $e->getMessage(), PHP_EOL;
30+
}
31+
32+
try {
33+
imagettftext($im, INF, 0, 15, 60, 0, $font, "");
34+
} catch (\ValueError $e) {
35+
echo $e->getMessage();
36+
}
37+
?>
38+
--EXPECTF--
39+
imagettftext(): Argument #2 ($size) must be between %i and %d
40+
imagettftext(): Argument #2 ($size) must be between %i and %d
41+
imagettftext(): Argument #2 ($size) must be finite
42+
imagettftext(): Argument #2 ($size) must be between %i and %d

0 commit comments

Comments
 (0)