Skip to content

integer overflow imagefilledpolygon #18900

New issue
New issue
Closed as duplicate
Closed as duplicate
integer overflow imagefilledpolygon#18900
Labels
BugExtension: gdStatus: Verified
@YuanchengJiang

Description

@YuanchengJiang
YuanchengJiang
opened on Jun 22, 2025

Description

The following code:

<?php
$im = imagecreatetruecolor(10, 10);
imagealphablending($im, false);
$transparent = imagecolorallocatealpha($im, 200, 0, 100, 64);
for ($i = 0; $i < imagesx($im); $i++) {
for ($j = 0; $j < imagesy($im); $j++) {
imagesetpixel($im, $i, $j, ($i%2 != $j%2 ? $solid : $transparent));
}
}
$copy = imagecreatetruecolor(5, 5);
imagealphablending($copy, false);
imagecopyresampled($copy, $im, 0,0, 0,0, 5,5, 10, 10);
$color = imagecolorat($copy, 3, 3);
$fusion = $color;
$bot = 255;
$points = array(
$x,      $top,
$fusion+$d,   (int) (($top+$bot)/2),
$x,      $bot
);
imagefilledpolygon($im, $points, $yellow);

Resulted in this output:

/home/phpfuzz/WorkSpace/flowfusion/php-src/ext/gd/libgd/gd.c:2849:46: runtime error: signed integer overflow: 4 * 541196321 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/gd/libgd/gd.c:2849:46 in

To reproduce:

./php-src/sapi/cli/php  ./test.php

Commit:

be70f42de7c9ec0e6158ce9ec9d21f0dac24897f

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

be70f42de7c9ec0e6158ce9ec9d21f0dac24897f

Operating System

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugExtension: gdStatus: Verified

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions