From 3f9261768bb33560c6b1dee6308f89651e2dadd7 Mon Sep 17 00:00:00 2001
From: Andrey Kovalev <ded@altlinux.org>
Date: Mon, 26 May 2025 14:22:28 +0300
Subject: [PATCH] ext/standard/image.c: Fix unsafe integer conversion

- Add checks for image dimensions (width/height/bits/channels) against
INT32_MAX.
- Prevent sign-bit override when converting unsigned int to zend_long on 32-bit
platforms.
- Ensure consistent behavior across architectures for getimagesize() results.

Reported-by: Dmitriy Fedin <d.fedin@fobos-nt.ru>
Signed-off-by: Andrey Kovalev <ded@altlinux.org>
---
 ext/standard/image.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/ext/standard/image.c b/ext/standard/image.c
index eeb1f1fa2813a..dec02fc4fd761 100644
--- a/ext/standard/image.c
+++ b/ext/standard/image.c
@@ -17,6 +17,7 @@
 
 #include "php.h"
 #include <stdio.h>
+#include <stdint.h>
 #ifdef HAVE_FCNTL_H
 #include <fcntl.h>
 #endif
@@ -1520,7 +1521,16 @@ static void php_getimagesize_from_stream(php_stream *stream, char *input, zval *
 			break;
 	}
 
+#if SIZEOF_ZEND_LONG == 4
+	if (result &&
+		result->width <= INT32_MAX &&
+		result->height <= INT32_MAX &&
+		result->bits <= INT32_MAX &&
+		result->channels <= INT32_MAX)
+	{
+#else
 	if (result) {
+#endif
 		char temp[MAX_LENGTH_OF_LONG * 2 + sizeof("width=\"\" height=\"\"")];
 		array_init(return_value);
 		add_index_long(return_value, 0, result->width);