From 4124b04e3420b0a0e9290222b607ce7f7154a60a Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Wed, 13 Nov 2024 07:26:24 +0000
Subject: [PATCH] Fix GH-16771: imagecreatefromstring overflow on invalid
 format.

close GH-16776
---
 NEWS                      |  3 +++
 ext/gd/gd.c               |  2 +-
 ext/gd/tests/gh16771.phpt | 10 ++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 ext/gd/tests/gh16771.phpt

diff --git a/NEWS b/NEWS
index bf6f7537d8445..2b3b9e3f9c2b7 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,9 @@ PHP                                                                        NEWS
 - FPM:
   . Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status). (Jakub Zelenka)
 
+- GD:
+  . Fixed GH-16776 (imagecreatefromstring overflow). (David Carlier)
+
 - Hash:
   . Fixed GH-16711: Segfault in mhash(). (Girgias)
 
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 6b41efd949a2c..b1a9a333e1fd5 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1323,7 +1323,7 @@ static int _php_ctx_getmbi(gdIOCtx *ctx)
 
 	do {
 		i = (ctx->getC)(ctx);
-		if (i < 0) {
+		if (i < 0 || mbi > (INT_MAX >> 7)) {
 			return -1;
 		}
 		mbi = (mbi << 7) | (i & 0x7f);
diff --git a/ext/gd/tests/gh16771.phpt b/ext/gd/tests/gh16771.phpt
new file mode 100644
index 0000000000000..232317cec11b5
--- /dev/null
+++ b/ext/gd/tests/gh16771.phpt
@@ -0,0 +1,10 @@
+--TEST--
+GH-16771 (UBSan abort in ext/gd/libgd/gd.c:1372)
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$string_mb = base64_decode('5pel5pys6Kqe44OG44Kt44K544OIMzTvvJXvvJbml6XmnKzoqp7jg4bjgq3jgrnjg4g=');
+imagecreatefromstring($string_mb);
+--EXPECTF--
+Warning: imagecreatefromstring(): Data is not in a recognized format in %s on line %d