PHP bug #79877

0001-Fix-79877-getimagesize-function-silently-truncates-a.patch

From dab2525990fc52a30a10db75acf3a548efc1279e Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 21 Jul 2020 11:07:43 +0200
Subject: [PATCH] Fix #79877: getimagesize function silently truncates after a
 null byte

We have to check for NUL bytes if `getimagesize()` has been called.
---
 ext/standard/image.c                   | 5 +++++
 ext/standard/tests/image/bug79877.phpt | 9 +++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 ext/standard/tests/image/bug79877.phpt

diff --git a/ext/standard/image.c b/ext/standard/image.c
index c634727ea3..4e63411904 100644
--- a/ext/standard/image.c
+++ b/ext/standard/image.c
@@ -1478,6 +1478,11 @@ static void php_getimagesize_from_any(INTERNAL_FUNCTION_PARAMETERS, int mode) {
 		Z_PARAM_ZVAL_DEREF(info)
 	ZEND_PARSE_PARAMETERS_END();
 
+	if (mode == FROM_PATH && CHECK_NULL_PATH(input, input_len)) {
+		php_error_docref(NULL, E_WARNING, "Invalid path");
+		return;
+	}
+
 	if (argc == 2) {
 		zval_ptr_dtor(info);
 		array_init(info);
diff --git a/ext/standard/tests/image/bug79877.phpt b/ext/standard/tests/image/bug79877.phpt
new file mode 100644
index 0000000000..92e93e59e5
--- /dev/null
+++ b/ext/standard/tests/image/bug79877.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #79877 (getimagesize function silently truncates after a null byte)
+--FILE--
+<?php
+var_dump(getimagesize("/tmp/a.png\0xx"));
+?>
+--EXPECTF--
+Warning: getimagesize(): Invalid path in %s on line %d
+NULL
-- 
2.27.0.windows.1