1--TEST-- 2Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow 3--EXTENSIONS-- 4gd 5--SKIPIF-- 6<?php 7if (!function_exists("imagecreatefromgd2")) print "skip"; 8 9if (!GD_BUNDLED) { 10 if (version_compare(GD_VERSION, '2.2.2', '<')) { 11 die("skip test requires GD 2.2.2 or higher"); 12 } 13 if (version_compare(GD_VERSION, '2.3.3', '>=')) { 14 die("skip test requires GD 2.3.2 or older"); 15 } 16} 17?> 18--FILE-- 19<?php 20$fname = __DIR__ . DIRECTORY_SEPARATOR . "bug72339.gd"; 21 22$fh = fopen($fname, "w"); 23fwrite($fh, "gd2\x00"); 24fwrite($fh, pack("n", 2)); 25fwrite($fh, pack("n", 1)); 26fwrite($fh, pack("n", 1)); 27fwrite($fh, pack("n", 0x40)); 28fwrite($fh, pack("n", 2)); 29fwrite($fh, pack("n", 0x5AA0)); // Chunks Wide 30fwrite($fh, pack("n", 0x5B00)); // Chunks Vertically 31fwrite($fh, str_repeat("\x41\x41\x41\x41", 0x1000000)); // overflow data 32fclose($fh); 33 34$im = imagecreatefromgd2($fname); 35 36if ($im) { 37 imagedestroy($im); 38} 39unlink($fname); 40 41?> 42--EXPECTF-- 43Warning: imagecreatefromgd2(): Product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully 44 in %sbug72339.php on line %d 45 46Warning: imagecreatefromgd2(): "%sbug72339.gd" is not a valid GD2 file in %sbug72339.php on line %d 47
