- MFB: sx/sy must be > 0 and < INT_MAX

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 0b1d29edecdd032a447a2a89c3f958d72d658747..11ba9d938813d7bbba2e6b65ce175371ee67c2be 100644 (file)
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1560,7 +1560,7 @@ PHP_FUNCTION(imagecreatetruecolor)
                return;
        }
 
-       if (x_size <= 0 || y_size <= 0) {
+       if (x_size <= 0 || y_size <= 0 ||  x_size >= INT_MAX || y_size >= INT_MAX) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid image dimensions");
                RETURN_FALSE;
        }
@@ -2109,7 +2109,7 @@ PHP_FUNCTION(imagecreate)
                return;
        }
 
-       if (x_size <= 0 || y_size <= 0) {
+       if (x_size <= 0 || y_size <= 0 ||  x_size >= INT_MAX || y_size >= INT_MAX) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid image dimensions");
                RETURN_FALSE;
        }