#72337 invalid dimensions can lead to segv

Author: pierrejoye

ext/gd/gd.c

@@ -5145,6 +5145,10 @@ PHP_FUNCTION(imagescale)
 		}
 	}
 
+	if (tmp_h <= 0 || tmp_w <= 0) {
+		RETURN_FALSE;
+	}
+
 	new_width = tmp_w;
 	new_height = tmp_h;
 

ext/gd/libgd/gd_interpolation.c

@@ -1059,6 +1059,10 @@ gdImagePtr gdImageScaleTwoPass(const gdImagePtr src, const unsigned int src_widt
 	gdImagePtr tmp_im;
 	gdImagePtr dst;
 
+	if (new_width == 0 || new_height == 0) {
+		return NULL;
+	}
+
 	/* Convert to truecolor if it isn't; this code requires it. */
 	if (!src->trueColor) {
 		gdImagePaletteToTrueColor(src);
@@ -1087,6 +1091,10 @@ gdImagePtr Scale(const gdImagePtr src, const unsigned int src_width, const unsig
 {
 	gdImagePtr tmp_im;
 
+	if (new_width == 0 || new_height == 0) {
+		return NULL;
+	}
+
 	tmp_im = gdImageCreateTrueColor(new_width, src_height);
 	if (tmp_im == NULL) {
 		return NULL;
@@ -1120,6 +1128,10 @@ gdImagePtr gdImageScaleNearestNeighbour(gdImagePtr im, const unsigned int width,
 	unsigned long  dst_offset_y = 0;
 	unsigned int i;
 
+	if (new_width == 0 || new_height == 0) {
+		return NULL;
+	}
+
 	dst_img = gdImageCreateTrueColor(new_width, new_height);
 
 	if (dst_img == NULL) {
@@ -1221,6 +1233,10 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int
 	gdImagePtr new_img;
 	const int transparent = im->transparent;
 
+	if (new_width == 0 || new_height == 0) {
+		return NULL;
+	}
+
 	new_img = gdImageCreateTrueColor(new_width, new_height);
 	if (new_img == NULL) {
 		return NULL;
@@ -1313,6 +1329,10 @@ static gdImagePtr gdImageScaleBilinearTC(gdImagePtr im, const unsigned int new_w
 	long i;
 	gdImagePtr new_img;
 
+	if (new_width == 0 || new_height == 0) {
+		return NULL;
+	}
+
 	new_img = gdImageCreateTrueColor(new_width, new_height);
 	if (!new_img){
 		return NULL;
@@ -1412,6 +1432,10 @@ gdImagePtr gdImageScaleBicubicFixed(gdImagePtr src, const unsigned int width, co
 	unsigned int dst_offset_y = 0;
 	long i;
 
+	if (new_width == 0 || new_height == 0) {
+		return NULL;
+	}
+
 	/* impact perf a bit, but not that much. Implementation for palette
 	   images can be done at a later point.
 	*/
@@ -1634,7 +1658,11 @@ gdImagePtr gdImageScale(const gdImagePtr src, const unsigned int new_width, cons
 	gdImagePtr im_scaled = NULL;
 
 	if (src == NULL || src->interpolation_id < 0 || src->interpolation_id > GD_METHOD_COUNT) {
-		return 0;
+		return NULL;
+	}
+
+	if (new_width == 0 || new_height == 0) {
+		return NULL;
 	}
 
 	switch (src->interpolation_id) {
@@ -1680,6 +1708,10 @@ gdImagePtr gdImageRotateNearestNeighbour(gdImagePtr src, const float degrees, co
 	unsigned int i;
 	gdImagePtr dst;
 
+	if (new_width == 0 || new_height == 0) {
+		return NULL;
+	}
+
 	dst = gdImageCreateTrueColor(new_width, new_height);
 	if (!dst) {
 		return NULL;

ext/gd/tests/bug72337.phpt

@@ -0,0 +1,14 @@
+--TEST--
+ #72337	segfault in imagescale with new dimensions being <=0)
+--SKIPIF--
+<?php
+        if (!function_exists('imagescale')) die("skip gd extension not available\n");
+?>
+--FILE--
+<?php
+$im = imagecreatetruecolor(1, 1);
+imagescale($im, 0, 0, IMG_BICUBIC_FIXED);
+echo "OK";
+?>
+--EXPECT--
+OK