Fix #79877: getimagesize function silently truncates after a null byte

author Christoph M. Becker <cmbecker69@gmx.de>

Tue, 21 Jul 2020 09:07:43 +0000 (11:07 +0200)

committer Stanislav Malyshev <stas@php.net>

Mon, 3 Aug 2020 08:10:24 +0000 (01:10 -0700)
author Christoph M. Becker <cmbecker69@gmx.de>
Tue, 21 Jul 2020 09:07:43 +0000 (11:07 +0200)
committer Stanislav Malyshev <stas@php.net>
Mon, 3 Aug 2020 08:10:24 +0000 (01:10 -0700)
diff --git a/ext/standard/image.c b/ext/standard/image.c

index 73e1776a3a26d0cfc18648a07250bd2fc858b92a..5c87c9a49aa790f9b8118eed6aec5327abf73b16 100644 (file)
--- a/ext/standard/image.c
+++ b/ext/standard/image.c
@@ -1475,6 +1475,11 @@ static void php_getimagesize_from_any(INTERNAL_FUNCTION_PARAMETERS, int mode) {
                 Z_PARAM_ZVAL(info)
         ZEND_PARSE_PARAMETERS_END();
  
+       if (mode == FROM_PATH && CHECK_NULL_PATH(input, input_len)) {
+               php_error_docref(NULL, E_WARNING, "Invalid path");
+               return;
+       }
+
         if (argc == 2) {
                 info = zend_try_array_init(info);
                 if (!info) {
diff --git a/ext/standard/tests/image/bug79877.phpt b/ext/standard/tests/image/bug79877.phpt

new file mode 100644 (file)

index 0000000..92e93e5
--- /dev/null
+++ b/ext/standard/tests/image/bug79877.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #79877 (getimagesize function silently truncates after a null byte)
+--FILE--
+<?php
+var_dump(getimagesize("/tmp/a.png\0xx"));
+?>
+--EXPECTF--
+Warning: getimagesize(): Invalid path in %s on line %d
+NULL
author	Christoph M. Becker <cmbecker69@gmx.de>
	Tue, 21 Jul 2020 09:07:43 +0000 (11:07 +0200)
committer	Stanislav Malyshev <stas@php.net>
	Mon, 3 Aug 2020 08:10:24 +0000 (01:10 -0700)
ext/standard/image.c		patch \| blob \| history
ext/standard/tests/image/bug79877.phpt	[new file with mode: 0644]	patch \| blob