1--TEST-- 2Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow 3--SKIPIF-- 4<?php if (!function_exists("imagecreatefromgd2")) print "skip"; ?> 5--FILE-- 6<?php 7$fname = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"; 8 9$fh = fopen($fname, "w"); 10fwrite($fh, "gd2\x00"); 11fwrite($fh, pack("n", 2)); 12fwrite($fh, pack("n", 1)); 13fwrite($fh, pack("n", 1)); 14fwrite($fh, pack("n", 0x40)); 15fwrite($fh, pack("n", 2)); 16fwrite($fh, pack("n", 0x5AA0)); // Chunks Wide 17fwrite($fh, pack("n", 0x5B00)); // Chunks Vertically 18fwrite($fh, str_repeat("\x41\x41\x41\x41", 0x1000000)); // overflow data 19fclose($fh); 20 21$im = imagecreatefromgd2($fname); 22 23if ($im) { 24 imagedestroy($im); 25} 26unlink($fname); 27 28?> 29--EXPECTF-- 30Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully 31 in %sbug72339.php on line %d 32 33Warning: imagecreatefromgd2(): '%sbug72339.gd' is not a valid GD2 file in %sbug72339.php on line %d 34
