Skip to content

integer overflow in imagedashedline() #19731

New issue
New issue
Open
Open
integer overflow in imagedashedline()#19731
Assignees
devnexen
Labels
BugExtension: gdStatus: Verified
@chongwick

Description

@chongwick
chongwick
opened on Sep 6, 2025

Description

The following code:

<?php
$v_314115 = 1200;
$v_314116 = 800;
$v_314117 = imagecreate($v_314115,$v_314116,);
$v_314118 = 40;
$v_314119 = 40;
$v_314120 = 40;
$v_314121 = imagecolorallocate($v_314117,$v_314118,$v_314119,$v_314120,);
$v_314122 = 255;
$v_314123 = 255;
$v_314124 = 255;
$v_314125 = imagecolorallocate($v_314117,$v_314122,$v_314123,$v_314124,);
$v_314126 = 800;
$v_314127 = 400;
$v_314128 = 300;
$v_314129 = 400;
$v_314130 = imagedashedline($v_314117,$v_314126,$v_314127,$v_314128,$v_314129,$v_314125,);
$v_314131 = 800;
$v_314132 = 400;
$v_314133 = 300;
$v_314134 = 800;
$v_314135 = imagedashedline($v_314117,$v_314131,$v_314132,$v_314133,$v_314134,$v_314125,);
$v_314136 = 800;
$v_314175 = 9;
$v_314138 = 400;
$v_314139 = 800;
$v_314140 = imagedashedline($v_314117,$v_314136,$v_314175,$v_314138,$v_314139,$v_314125,);
$v_314141 = 800;
$v_314142 = 400;
$v_314143 = 500;
$v_314144 = 800;
$v_314145 = imagedashedline($v_314117,$v_314141,$v_314142,$v_314143,$v_314144,$v_314125,);
$v_314146 = 800;
$v_314147 = 400;
$v_314149 = 800;
$v_314150 = imagedashedline($v_314117,$v_314146,$v_314147,$v_314175,$v_314149,$v_314125,);
$v_314151 = 800;
$v_314152 = 400;
$v_314153 = 700;
$v_314154 = 800;
$v_314155 = imagedashedline($v_314117,$v_314151,$v_314152,$v_314153,$v_314154,$v_314125,);
$v_314166 = 'AAAAAAAAAAAA';
$v_314167 = 1;
$v_314168 = 2;
$v_314169 = 3;
$v_314170 = 4;
$v_314171 = 5;
$v_314172 = 6;
$v_314173 = 7;
$v_314174 = 8;
$v_314176 = 10;
$v_314177 = 11;
$v_314178 = 12;
$v_314179 = pack($v_314166,$v_314167,$v_314168,$v_314169,$v_314170,$v_314171,$v_314172,$v_314173,$v_314174,$v_314175,$v_314176,$v_314177,$v_314178,);
$v_314157 = 400;
$v_314158 = 800;
$v_314159 = 800;
$v_314160 = imagedashedline($v_314117,$v_314179,$v_314157,$v_314158,$v_314159,$v_314125,);

Resulted in this output:

/nightly_php/php-src/ext/gd/libgd/gd.c:1409:13: runtime error: signed integer overflow: 2 * -1097262873 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/w023dtc/nightly_php/php-src/ext/gd/libgd/gd.c:1409:13

But I expected this output instead:

PHP Version

nightly

Operating System

ubuntu 20.04

Metadata

Metadata

Assignees

Labels

BugExtension: gdStatus: Verified

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions