Fix #79877: getimagesize function silently truncates after a null byte

cmb69 · smalyshev · commit 4d2560dd6a11 · 2020-08-03T01:09:44.000-07:00
We have to check for NUL bytes if `getimagesize()` has been called.
diff --git a/ext/standard/image.c b/ext/standard/image.c
@@ -1496,6 +1496,11 @@ static void php_getimagesize_from_any(INTERNAL_FUNCTION_PARAMETERS, int mode) {
 		Z_PARAM_ZVAL(info)
 	ZEND_PARSE_PARAMETERS_END();
 
+	if (mode == FROM_PATH && CHECK_NULL_PATH(input, input_len)) {
+		php_error_docref(NULL, E_WARNING, "Invalid path");
+		return;
+	}
+
 	if (argc == 2) {
 		info = zend_try_array_init(info);
 		if (!info) {
diff --git a/ext/standard/tests/image/bug79877.phpt b/ext/standard/tests/image/bug79877.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #79877 (getimagesize function silently truncates after a null byte)
+--FILE--
+<?php
+var_dump(getimagesize("/tmp/a.png\0xx"));
+?>
+--EXPECTF--
+Warning: getimagesize(): Invalid path in %s on line %d
+NULL
