From: Ilia Alshanetsky <iliaa@php.net>
Date: Fri, 30 Jul 2004 01:10:46 +0000 (+0000)
Subject: MFH: Fixed bug #29443 (Sanity check for wbmp detection).
X-Git-Tag: php-4.3.9RC1~19
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ef6cfdbec3d862b12bc407e0e528f2daf3f0e14b;p=php

MFH: Fixed bug #29443 (Sanity check for wbmp detection).
---

diff --git a/NEWS b/NEWS
index 7c71198bfb..dfadf5a217 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,7 @@ PHP 4                                                                      NEWS
 - Updated PCRE to provide better error handling in certain cases. (Andrei)
 - NSAPI: added "bucket" parameter to list of non-php.ini-keys of php4_execute
   for doing performance stats without warnings in server-log. (Uwe Schindler)
+- Fixed bug #29443 (Sanity check for wbmp detection). (Ilia)
 - Fixed bug #29369 (Uploaded files with ' or " in their names get their names
   truncated at those characters). (Ilia)
 - Fixed bug #29349 (imagecreatefromstring() crashes with external GD library).
diff --git a/ext/standard/image.c b/ext/standard/image.c
index cef34dd8d1..b0782e3780 100644
--- a/ext/standard/image.c
+++ b/ext/standard/image.c
@@ -940,6 +940,11 @@ static int php_get_wbmp(php_stream *stream, struct gfxinfo **result, int check T
 		}
 		height = (height << 7) | (i & 0x7f);
 	} while (i & 0x80);
+
+	/* maximum valid sizes for wbmp (although 127x127 may be a more accurate one) */
+	if (height > 2048 || width > 2048) {
+		return 0;
+	}
 	
 	if (!check) {
 		(*result)->width = width;