Fix GH-22121: double-free in gdImageSetStyle() after overflow early return

iliaal · iliaal · commit a149dceae6cd · 2026-05-22T12:08:05.000-04:00
gdImageSetStyle freed im->style before checking overflow2(). When the overflow check tripped and the function early-returned, im->style was left dangling. The next gdImageSetStyle, gdImageDestroy, or gdImageSetPixel gdStyled/gdStyledBrushed dispatch then freed or dereferenced it. Move the overflow check above the free to match upstream libgd (libgd/libgd src/gd.c::gdImageSetStyle), which has always had the check first. The original divergence was an oversight in 77ba248 when the overflow check was ported from libgd 2.0.29. Fixes GH-22121
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
@@ -2854,12 +2854,12 @@ int gdCompareInt (const void *a, const void *b)
 
 void gdImageSetStyle (gdImagePtr im, int *style, int noOfPixels)
 {
-	if (im->style) {
-		gdFree(im->style);
-	}
 	if (overflow2(sizeof (int), noOfPixels)) {
 		return;
 	}
+	if (im->style) {
+		gdFree(im->style);
+	}
 	im->style = (int *) gdMalloc(sizeof(int) * noOfPixels);
 	memcpy(im->style, style, sizeof(int) * noOfPixels);
 	im->styleLength = noOfPixels;
diff --git a/ext/gd/tests/gh22121.phpt b/ext/gd/tests/gh22121.phpt
@@ -0,0 +1,40 @@
+--TEST--
+GH-22121 (Double free in gdImageSetStyle() after overflow-triggered early return)
+--EXTENSIONS--
+gd
+--INI--
+memory_limit=-1
+--SKIPIF--
+<?php
+if (!getenv('RUN_RESOURCE_HEAVY_TESTS')) die('skip resource-heavy test');
+if (PHP_INT_SIZE < 8) die('skip 64-bit only (allocates ~10 GiB)');
+function get_system_memory(): int|float|false {
+    if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
+        @exec('wmic OS get FreePhysicalMemory', $output);
+        if (isset($output[1])) {
+            return ((int)trim($output[1])) * 1024;
+        }
+    } else {
+        $memInfo = @file_get_contents("/proc/meminfo");
+        if ($memInfo && preg_match('/MemAvailable:\s+(\d+) kB/', $memInfo, $matches)) {
+            return $matches[1] * 1024;
+        }
+    }
+    return false;
+}
+if (get_system_memory() < 12 * 1024 * 1024 * 1024) {
+    die('skip Reason: Insufficient RAM (less than 12GB)');
+}
+?>
+--FILE--
+<?php
+$im = imagecreatetruecolor(1, 1);
+imagesetstyle($im, [0]);
+imagesetstyle($im, array_fill(0, 536870912, 0));
+unset($im);
+echo "no double free\n";
+?>
+--EXPECTF--
+Warning: imagesetstyle(): Product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+ in %s on line %d
+no double free
