Fix GH-16232: bitshift overflow on wbmp file content reading.

backport from a8f1d5cab0

close GH-16239

NEWS

@@ -31,6 +31,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-16151 (Assertion failure in ext/dom/parentnode/tree.c).
     (nielsdos)
 
+- GD:
+  . Fixed bug 16232 (bitshift overflow on wbmp file content reading /
+    fix backport from upstream). (David Carlier)
+
 - LDAP:
   . Fixed bug GH-16032 (Various NULL pointer dereferencements in
     ldap_modify_batch()). (Girgias)

ext/gd/libgd/wbmp.c

@@ -37,7 +37,8 @@
 int
 getmbi (int (*getin) (void *in), void *in)
 {
-  int i, mbi = 0;
+  unsigned int mbi = 0;
+  int i;
 
   do
     {

ext/gd/tests/gh16232.phpt

@@ -0,0 +1,27 @@
+--TEST--
+GH-16232 (Overflow on reading wbmp content)
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$good_webp = __DIR__ . '/src.wbmp';
+$bad_webp = __DIR__ . "/gh16232.webp";
+copy($good_webp, $bad_webp);
+var_dump(imagecreatefromwbmp($bad_webp));
+$data = file_get_contents($bad_webp);
+$data[3] = chr(-1);
+file_put_contents($bad_webp, $data);
+var_dump(imagecreatefromwbmp($bad_webp));
+$data[3] = chr(1000);
+file_put_contents($bad_webp, $data);
+var_dump(imagecreatefromwbmp($bad_webp));
+unlink($bad_webp);
+--EXPECTF--
+object(GdImage)#1 (0) {
+}
+
+Warning: imagecreatefromwbmp(): "%s" is not a valid WBMP file in %s on line %d
+bool(false)
+
+Warning: imagecreatefromwbmp(): "%s" is not a valid WBMP file in %s on line %d
+bool(false)