fix imagecrop overflow

devnexen · devnexen · commit 3645a3c4ff07 · 2025-03-22T07:12:12.000Z
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
@@ -3848,7 +3848,7 @@ PHP_FUNCTION(imageantialias)
 }
 /* }}} */
 
-static bool _php_gd_zval_try_get_c_int(zval *tmp, const char *field, int *res) {
+static bool php_gd_zval_try_get_c_int(zval *tmp, const char *field, int *res) {
 	zend_long r;
 	bool failed = false;
 	r = zval_try_get_long(tmp, &failed);
@@ -3882,7 +3882,7 @@ PHP_FUNCTION(imagecrop)
 	im = php_gd_libgdimageptr_from_zval_p(IM);
 
 	if ((tmp = zend_hash_str_find(Z_ARRVAL_P(z_rect), "x", sizeof("x") -1)) != NULL) {
-		if (!_php_gd_zval_try_get_c_int(tmp, "x", &rect.x)) {
+		if (!php_gd_zval_try_get_c_int(tmp, "x", &rect.x)) {
 			RETURN_THROWS();
 		}
 	} else {
@@ -3891,7 +3891,7 @@ PHP_FUNCTION(imagecrop)
 	}
 
 	if ((tmp = zend_hash_str_find(Z_ARRVAL_P(z_rect), "y", sizeof("y") - 1)) != NULL) {
-		if (!_php_gd_zval_try_get_c_int(tmp, "y", &rect.y)) {
+		if (!php_gd_zval_try_get_c_int(tmp, "y", &rect.y)) {
 			RETURN_THROWS();
 		}
 	} else {
@@ -3900,7 +3900,7 @@ PHP_FUNCTION(imagecrop)
 	}
 
 	if ((tmp = zend_hash_str_find(Z_ARRVAL_P(z_rect), "width", sizeof("width") - 1)) != NULL) {
-		if (!_php_gd_zval_try_get_c_int(tmp, "width", &rect.width)) {
+		if (!php_gd_zval_try_get_c_int(tmp, "width", &rect.width)) {
 			RETURN_THROWS();
 		}
 	} else {
@@ -3909,14 +3909,24 @@ PHP_FUNCTION(imagecrop)
 	}
 
 	if ((tmp = zend_hash_str_find(Z_ARRVAL_P(z_rect), "height", sizeof("height") - 1)) != NULL) {
-		if (!_php_gd_zval_try_get_c_int(tmp, "height", &rect.height)) {
+		if (!php_gd_zval_try_get_c_int(tmp, "height", &rect.height)) {
 			RETURN_THROWS();
 		}
 	} else {
 		zend_argument_value_error(2, "must have a \"height\" key");
 		RETURN_THROWS();
 	}
 
+	if ((rect.width > 0 && rect.x > INT_MAX - rect.width) || (rect.width < 0 && rect.x < INT_MIN - rect.width)) {
+		zend_argument_value_error(2, "overflow with \"x\" and \"width\" keys");
+		RETURN_THROWS();
+	}
+
+	if ((rect.height > 0 && rect.y > INT_MAX - rect.height) || (rect.height < 0 && rect.y < INT_MIN - rect.height)) {
+		zend_argument_value_error(2, "overflow with \"y\" and \"height\" keys");
+		RETURN_THROWS();
+	}
+
 	im_crop = gdImageCrop(im, &rect);
 
 	if (im_crop == NULL) {
diff --git a/ext/gd/tests/bug66356.phpt b/ext/gd/tests/bug66356.phpt
@@ -10,7 +10,11 @@ $img = imagecreatetruecolor(10, 10);
 var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => 10, "height" => 10)));
 
 $arr = array("x" => 2147483647, "y" => 2147483647, "width" => 10, "height" => 10);
-var_dump(imagecrop($img, $arr));
+try {
+	imagecrop($img, $arr);
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
 print_r($arr);
 
 // POC #2
@@ -28,8 +32,7 @@ var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => 65535, "height" =>
 --EXPECTF--
 object(GdImage)#2 (0) {
 }
-object(GdImage)#2 (0) {
-}
+imagecrop(): Argument #2 ($rectangle) overflow with "x" and "width" keys
 Array
 (
     [x] => 2147483647
@@ -41,9 +44,9 @@ Array
 Warning: imagecrop(): %cne parameter to a memory allocation multiplication is negative or zero, failing operation gracefully
  in %s on line %d
 bool(false)
-object(GdImage)#2 (0) {
+object(GdImage)#3 (0) {
 }
-object(GdImage)#2 (0) {
+object(GdImage)#3 (0) {
 }
 
 Warning: imagecrop(): %croduct of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
