Fix GH-16260: overflow/underflow on imagerotate degrees argument.

close GH-16264

Author: devnexen

NEWS

@@ -34,8 +34,10 @@ PHP                                                                        NEWS
     (nielsdos)
 
 - GD:
-  . Fixed bug 16232 (bitshift overflow on wbmp file content reading /
+  . Fixed bug GH-16232 (bitshift overflow on wbmp file content reading /
     fix backport from upstream). (David Carlier)
+  . Fixed bug GH-12264 (overflow/underflow on imagerotate degrees value)
+    (David Carlier)
 
 - LDAP:
   . Fixed bug GH-16032 (Various NULL pointer dereferencements in

ext/gd/gd.c

@@ -1195,6 +1195,11 @@ PHP_FUNCTION(imagerotate)
 		RETURN_THROWS();
 	}
 
+	if (degrees < (double)(INT_MIN / 100) || degrees > (double)(INT_MAX / 100)) {
+		zend_argument_value_error(2, "must be between %d and %d", (INT_MIN / 100), (INT_MAX / 100));
+		RETURN_THROWS();
+	}
+
 	im_src = php_gd_libgdimageptr_from_zval_p(SIM);
 	im_dst = gdImageRotateInterpolated(im_src, (const float)degrees, color);
 

ext/gd/tests/gh16260.phpt

@@ -0,0 +1,22 @@
+--TEST--
+GH-16260 (Overflow/underflow on imagerotate degrees argument)
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$im = imagecreatetruecolor(10,10);
+
+try {
+	imagerotate($im, PHP_INT_MIN, 0);
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+
+try {
+	imagerotate($im, PHP_INT_MAX, 0);
+} catch (\ValueError $e) {
+	echo $e->getMessage();
+}
+--EXPECTF--
+imagerotate(): Argument #2 ($angle) must be between %s and %s
+imagerotate(): Argument #2 ($angle) must be between %s and %s