- sx/sy must be > 0 and < INT_MAX

author Pierre Joye <pajoye@php.net>

Sat, 2 Jun 2007 15:38:09 +0000 (15:38 +0000)

committer Pierre Joye <pajoye@php.net>

Sat, 2 Jun 2007 15:38:09 +0000 (15:38 +0000)
author Pierre Joye <pajoye@php.net>
Sat, 2 Jun 2007 15:38:09 +0000 (15:38 +0000)
committer Pierre Joye <pajoye@php.net>
Sat, 2 Jun 2007 15:38:09 +0000 (15:38 +0000)
diff --git a/ext/gd/gd.c b/ext/gd/gd.c

index 3340df08470414bc45b3af378c04f973e6e1846e..3f24d6ea6e19cbde1d05e28147bf649082272aa1 100644 (file)
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1718,7 +1718,9 @@ PHP_FUNCTION(imagecreatetruecolor)
         convert_to_long_ex(x_size);
         convert_to_long_ex(y_size);
  
-       if (Z_LVAL_PP(x_size) <= 0 || Z_LVAL_PP(y_size) <= 0) {
+       if (Z_LVAL_PP(x_size) <= 0 || Z_LVAL_PP(y_size) <= 0 ||
+                       Z_LVAL_PP(x_size) >= INT_MAX || Z_LVAL_PP(y_size) >= INT_MAX 
+               ) {
                 php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid image dimensions");
                 RETURN_FALSE;
         }
@@ -2326,7 +2328,9 @@ PHP_FUNCTION(imagecreate)
         convert_to_long_ex(x_size);
         convert_to_long_ex(y_size);
  
-       if (Z_LVAL_PP(x_size) <= 0 || Z_LVAL_PP(y_size) <= 0) {
+       if (Z_LVAL_PP(x_size) <= 0 || Z_LVAL_PP(y_size) <= 0 ||
+                       Z_LVAL_PP(x_size) >= INT_MAX || Z_LVAL_PP(y_size) >= INT_MAX
+               ) {
                 php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid image dimensions");
                 RETURN_FALSE;
         }
author	Pierre Joye <pajoye@php.net>
	Sat, 2 Jun 2007 15:38:09 +0000 (15:38 +0000)
committer	Pierre Joye <pajoye@php.net>
	Sat, 2 Jun 2007 15:38:09 +0000 (15:38 +0000)