From: Pierre Joye <pajoye@php.net>
Date: Sat, 2 Jun 2007 15:38:09 +0000 (+0000)
Subject: - sx/sy must be > 0 and < INT_MAX
X-Git-Tag: php-5.2.4RC1~452
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f4926a042e6788af59c4679f2fe75eea8358f368;p=php

- sx/sy must be > 0 and < INT_MAX
---

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 3340df0847..3f24d6ea6e 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1718,7 +1718,9 @@ PHP_FUNCTION(imagecreatetruecolor)
 	convert_to_long_ex(x_size);
 	convert_to_long_ex(y_size);
 
-	if (Z_LVAL_PP(x_size) <= 0 || Z_LVAL_PP(y_size) <= 0) {
+	if (Z_LVAL_PP(x_size) <= 0 || Z_LVAL_PP(y_size) <= 0 ||
+			Z_LVAL_PP(x_size) >= INT_MAX || Z_LVAL_PP(y_size) >= INT_MAX 
+		) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid image dimensions");
 		RETURN_FALSE;
 	}
@@ -2326,7 +2328,9 @@ PHP_FUNCTION(imagecreate)
 	convert_to_long_ex(x_size);
 	convert_to_long_ex(y_size);
 
-	if (Z_LVAL_PP(x_size) <= 0 || Z_LVAL_PP(y_size) <= 0) {
+	if (Z_LVAL_PP(x_size) <= 0 || Z_LVAL_PP(y_size) <= 0 ||
+			Z_LVAL_PP(x_size) >= INT_MAX || Z_LVAL_PP(y_size) >= INT_MAX
+		) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid image dimensions");
 		RETURN_FALSE;
 	}