1--TEST-- 2Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow 3--SKIPIF-- 4<?php 5if (!function_exists("imagecreatefromgd2")) print "skip"; 6if (!GD_BUNDLED && version_compare(GD_VERSION, '2.2.2', '<')) { 7 die("skip test requires GD 2.2.2 or higher"); 8} 9?> 10--FILE-- 11<?php 12$fname = __DIR__ . DIRECTORY_SEPARATOR . "bug72339.gd"; 13 14$fh = fopen($fname, "w"); 15fwrite($fh, "gd2\x00"); 16fwrite($fh, pack("n", 2)); 17fwrite($fh, pack("n", 1)); 18fwrite($fh, pack("n", 1)); 19fwrite($fh, pack("n", 0x40)); 20fwrite($fh, pack("n", 2)); 21fwrite($fh, pack("n", 0x5AA0)); // Chunks Wide 22fwrite($fh, pack("n", 0x5B00)); // Chunks Vertically 23fwrite($fh, str_repeat("\x41\x41\x41\x41", 0x1000000)); // overflow data 24fclose($fh); 25 26$im = imagecreatefromgd2($fname); 27 28if ($im) { 29 imagedestroy($im); 30} 31unlink($fname); 32 33?> 34--EXPECTF-- 35Warning: imagecreatefromgd2(): Product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully 36 in %sbug72339.php on line %d 37 38Warning: imagecreatefromgd2(): "%sbug72339.gd" is not a valid GD2 file in %sbug72339.php on line %d 39
