From f2859a4050140d8395721505c3d2c311c1ad43f5 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Wed, 9 Oct 2024 23:19:23 +0100
Subject: [PATCH] Fix GH-16322: imageaffine overflow on affine argument.

close GH-16334
---
 NEWS                      |  4 ++++
 ext/gd/gd.c               | 14 +++++++++++++-
 ext/gd/tests/gh16322.phpt | 27 +++++++++++++++++++++++++++
 3 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 ext/gd/tests/gh16322.phpt

diff --git a/NEWS b/NEWS
index 315690eddfc..ee8d50896af 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-16316 (DOMXPath breaks when not initialized properly).
     (nielsdos)
 
+- GD:
+  . Fixed bug GH-16334 (imageaffine overflow on matrix elements).
+    (David Carlier)
+
 - MBstring:
   . Fixed bug GH-16361 (mb_substr overflow on start/length arguments).
     (David Carlier)
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 3b824430597..6b41efd949a 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -3687,13 +3687,25 @@ PHP_FUNCTION(imageaffine)
 		if ((zval_affine_elem = zend_hash_index_find(Z_ARRVAL_P(z_affine), i)) != NULL) {
 			switch (Z_TYPE_P(zval_affine_elem)) {
 				case IS_LONG:
-					affine[i]  = Z_LVAL_P(zval_affine_elem);
+					affine[i] = Z_LVAL_P(zval_affine_elem);
+					if (affine[i] < INT_MIN || affine[i] > INT_MAX) {
+						zend_argument_value_error(2, "element %i must be between %d and %d", i, INT_MIN, INT_MAX);
+						RETURN_THROWS();
+					}
 					break;
 				case IS_DOUBLE:
 					affine[i] = Z_DVAL_P(zval_affine_elem);
+					if (affine[i] < INT_MIN || affine[i] > INT_MAX) {
+						zend_argument_value_error(2, "element %i must be between %d and %d", i, INT_MIN, INT_MAX);
+						RETURN_THROWS();
+					}
 					break;
 				case IS_STRING:
 					affine[i] = zval_get_double(zval_affine_elem);
+					if (affine[i] < INT_MIN || affine[i] > INT_MAX) {
+						zend_argument_value_error(2, "element %i must be between %d and %d", i, INT_MIN, INT_MAX);
+						RETURN_THROWS();
+					}
 					break;
 				default:
 					zend_argument_type_error(3, "contains invalid type for element %i", i);
diff --git a/ext/gd/tests/gh16322.phpt b/ext/gd/tests/gh16322.phpt
new file mode 100644
index 00000000000..1edc27285d2
--- /dev/null
+++ b/ext/gd/tests/gh16322.phpt
@@ -0,0 +1,27 @@
+--TEST--
+GH-16322 (imageaffine overflow/underflow on affine matrix)
+--EXTENSIONS--
+gd
+--INI--
+memory_limit=-1
+--FILE--
+<?php
+$matrix = [INF, 1, 1, 1, 1, 1];
+$src = imagecreatetruecolor(8, 8);
+
+try {
+	imageaffine($src, $matrix);
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+$matrix[0] = 1;
+$matrix[3] = -INF;
+try {
+	imageaffine($src, $matrix);
+} catch (\ValueError $e) {
+	echo $e->getMessage();
+}
+?>
+--EXPECTF--
+imageaffine(): Argument #2 ($affine) element 0 must be between %s and %d
+imageaffine(): Argument #2 ($affine) element 3 must be between %s and %d