MFH: Fixed bug #29443 (Sanity check for wbmp detection).

diff --git a/NEWS b/NEWS
index 7c71198bfb56e656b79d61589d46a8890d6cd51a..dfadf5a21702e6592bbb130166a16fe7bbd20dd3 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,7 @@ PHP 4                                                                      NEWS
 - Updated PCRE to provide better error handling in certain cases. (Andrei)
 - NSAPI: added "bucket" parameter to list of non-php.ini-keys of php4_execute
   for doing performance stats without warnings in server-log. (Uwe Schindler)
+- Fixed bug #29443 (Sanity check for wbmp detection). (Ilia)
 - Fixed bug #29369 (Uploaded files with ' or " in their names get their names
   truncated at those characters). (Ilia)
 - Fixed bug #29349 (imagecreatefromstring() crashes with external GD library).

diff --git a/ext/standard/image.c b/ext/standard/image.c
index cef34dd8d1b894e9375e93d79919b4358e4073a1..b0782e3780648a77c168eb41b65c72425677cbdc 100644 (file)
--- a/ext/standard/image.c
+++ b/ext/standard/image.c
@@ -940,6 +940,11 @@ static int php_get_wbmp(php_stream *stream, struct gfxinfo **result, int check T
                }
                height = (height << 7) | (i & 0x7f);
        } while (i & 0x80);
+
+       /* maximum valid sizes for wbmp (although 127x127 may be a more accurate one) */
+       if (height > 2048 || width > 2048) {
+               return 0;
+       }
        
        if (!check) {
                (*result)->width = width;