1--TEST-- 2Bug #66356 (Heap Overflow Vulnerability in imagecrop()) 3--EXTENSIONS-- 4gd 5--FILE-- 6<?php 7$img = imagecreatetruecolor(10, 10); 8 9// POC #1 10var_dump(imagecrop($img, array("x" => "a", "y" => 0, "width" => 10, "height" => 10))); 11 12$arr = array("x" => "a", "y" => "12b", "width" => 10, "height" => 10); 13var_dump(imagecrop($img, $arr)); 14print_r($arr); 15 16// POC #2 17var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => -1, "height" => 10))); 18 19// POC #3 20var_dump(imagecrop($img, array("x" => -20, "y" => -20, "width" => 10, "height" => 10))); 21 22// POC #4 23var_dump(imagecrop($img, array("x" => 0x7fffff00, "y" => 0, "width" => 10, "height" => 10))); 24 25// bug 66815 26var_dump(imagecrop($img, array("x" => 0, "y" => 0, "width" => 65535, "height" => 65535))); 27?> 28--EXPECTF-- 29object(GdImage)#2 (0) { 30} 31object(GdImage)#2 (0) { 32} 33Array 34( 35 [x] => a 36 [y] => 12b 37 [width] => 10 38 [height] => 10 39) 40 41Warning: imagecrop(): %cne parameter to a memory allocation multiplication is negative or zero, failing operation gracefully 42 in %s on line %d 43bool(false) 44object(GdImage)#2 (0) { 45} 46object(GdImage)#2 (0) { 47} 48 49Warning: imagecrop(): %croduct of memory allocation multiplication would exceed INT_MAX, failing operation gracefully 50 in %s on line %d 51bool(false) 52
