From 68c47814bd7b87678add469aed0063c3edcb1618 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Thu, 5 May 2016 22:03:38 +0200
Subject: [PATCH] Fix error handling in StyleAction::upload()

---
 .../lib/data/style/StyleAction.class.php      | 25 ++++++++++++++-----
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/wcfsetup/install/files/lib/data/style/StyleAction.class.php b/wcfsetup/install/files/lib/data/style/StyleAction.class.php
index 8b1efb38d0..1072cfa96a 100644
--- a/wcfsetup/install/files/lib/data/style/StyleAction.class.php
+++ b/wcfsetup/install/files/lib/data/style/StyleAction.class.php
@@ -281,9 +281,22 @@ class StyleAction extends AbstractDatabaseObjectAction implements IToggleAction
 			if (!$file->getValidationErrorType()) {
 				// shrink avatar if necessary
 				$fileLocation = $file->getLocation();
-				$imageData = getimagesize($fileLocation);
-				if ($imageData[0] > Style::PREVIEW_IMAGE_MAX_WIDTH || $imageData[1] > Style::PREVIEW_IMAGE_MAX_HEIGHT) {
-					try {
+				try {
+					if (($imageData = getimagesize($fileLocation)) === false) {
+						throw new UserInputException('image');
+					}
+					switch ($imageData[2]) {
+						case IMG_PNG:
+						case IMG_JPEG:
+						case IMG_JPG:
+						case IMG_GIF:
+							// fine
+						break;
+						default:
+							throw new UserInputException('image');
+					}
+
+					if ($imageData[0] > Style::PREVIEW_IMAGE_MAX_WIDTH || $imageData[1] > Style::PREVIEW_IMAGE_MAX_HEIGHT) {
 						$adapter = ImageHandler::getInstance()->getAdapter();
 						$adapter->loadFile($fileLocation);
 						$fileLocation = FileUtil::getTemporaryFilename();
@@ -291,9 +304,9 @@ class StyleAction extends AbstractDatabaseObjectAction implements IToggleAction
 						$adapter->writeImage($thumbnail, $fileLocation);
 						$imageData = getimagesize($fileLocation);
 					}
-					catch (SystemException $e) {
-						throw new UserInputException('image');
-					}
+				}
+				catch (SystemException $e) {
+					throw new UserInputException('image');
 				}
 				
 				// move uploaded file
-- 
2.20.1