1--TEST-- 2Bug #66356 (Heap Overflow Vulnerability in imagecrop()) 3--SKIPIF-- 4<?php 5 if(!extension_loaded('gd')){ die('skip gd extension not available'); } 6?> 7--FILE-- 8<?php 9$img = imagecreatetruecolor(10, 10); 10 11// POC #1 12var_dump(imagecrop($img, array("x" => "a", "y" => 0, "width" => 10, "height" => 10))); 13 14$arr = array("x" => "a", "y" => "12b", "width" => 10, "height" => 10); 15var_dump(imagecrop($img, $arr)); 16print_r($arr); 17 18// POC #2 19var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => -1, "height" => 10))); 20 21// POC #3 22var_dump(imagecrop($img, array("x" => -20, "y" => -20, "width" => 10, "height" => 10))); 23 24// POC #4 25var_dump(imagecrop($img, array("x" => 0x7fffff00, "y" => 0, "width" => 10, "height" => 10))); 26 27// bug 66815 28var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => 65535, "height" => 65535))); 29?> 30--EXPECTF-- 31resource(%d) of type (gd) 32resource(%d) of type (gd) 33Array 34( 35 [x] => a 36 [y] => 12b 37 [width] => 10 38 [height] => 10 39) 40 41Warning: imagecrop(): gd warning: one parameter to a memory allocation multiplication is negative or zero, failing operation gracefully 42 in %sbug66356.php on line %d 43bool(false) 44resource(%d) of type (gd) 45resource(%d) of type (gd) 46 47Warning: imagecrop(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully 48 in %sbug66356.php on line %d 49bool(false)
