Fix GH-20602: imagescale() overflow with large height values.

close GH-20605

Author: devnexen

NEWS

@@ -27,6 +27,8 @@ PHP                                                                        NEWS
 - GD:
   . Fixed bug GH-20511 (imagegammacorrect out of range input/output values).
     (David Carlier)
+  . Fixed bug GH-20602 (imagescale overflow with large height values).
+    (David Carlier)
 
 - LibXML:
   . Fix some deprecations on newer libxml versions regarding input

ext/gd/gd.c

@@ -3689,9 +3689,17 @@ PHP_FUNCTION(imagescale)
 		src_y = gdImageSY(im);
 
 		if (src_x && tmp_h < 0) {
+			if (tmp_w > (ZEND_LONG_MAX / src_y)) {
+				zend_argument_value_error(2, "must be less than or equal to " ZEND_LONG_FMT, (zend_long)(ZEND_LONG_MAX / src_y));
+				RETURN_THROWS();
+			}
 			tmp_h = tmp_w * src_y / src_x;
 		}
 		if (src_y && tmp_w < 0) {
+			if (tmp_h > (ZEND_LONG_MAX / src_x)) {
+				zend_argument_value_error(3, "must be less than or equal to " ZEND_LONG_FMT, (zend_long)(ZEND_LONG_MAX / src_x));
+				RETURN_THROWS();
+			}
 			tmp_w = tmp_h * src_x / src_y;
 		}
 	}

ext/gd/tests/gh20602.phpt

@@ -0,0 +1,22 @@
+--TEST--
+GH-20551: (imagegammacorrect out of range input/output value)
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$im = imagecreatetruecolor(16, 16);
+
+try {
+	imagescale($im, PHP_INT_MAX, -1);
+} catch (\ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+try {
+	imagescale($im, -1, PHP_INT_MAX);
+} catch (\ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+?>
+--EXPECTF--
+imagescale(): Argument #2 ($width) must be less than or equal to %d
+imagescale(): Argument #3 ($height) must be less than or equal to %d