Merge branch 'PHP-8.5'

devnexen · devnexen · commit 8504b18a343e · 2025-12-04T23:16:22.000Z
* PHP-8.5: Fix GH-20622: imagestring/imagestringup overflow/underflow.
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
@@ -2976,7 +2976,8 @@ static void php_imagechar(INTERNAL_FUNCTION_PARAMETERS, int mode)
 	zend_long X, Y, COL;
 	zend_string *C;
 	gdImagePtr im;
-	int ch = 0, col, x, y, i;
+	int ch = 0, col, i, l = 0;
+	unsigned int x, y;
 	size_t l = 0;
 	unsigned char *str = NULL;
 	zend_object *font_obj = NULL;
@@ -3009,21 +3010,21 @@ static void php_imagechar(INTERNAL_FUNCTION_PARAMETERS, int mode)
 
 	switch (mode) {
 		case 0:
-			gdImageChar(im, font, x, y, ch, col);
+			gdImageChar(im, font, (int)x, (int)y, ch, col);
 			break;
 		case 1:
 			php_gdimagecharup(im, font, x, y, ch, col);
 			break;
 		case 2:
 			for (i = 0; (i < l); i++) {
-				gdImageChar(im, font, x, y, (int) ((unsigned char) str[i]), col);
+				gdImageChar(im, font, (int)x, (int)y, (int) ((unsigned char) str[i]), col);
 				x += font->w;
 			}
 			break;
 		case 3: {
 			for (i = 0; (i < l); i++) {
 				/* php_gdimagecharup(im, font, x, y, (int) str[i], col); */
-				gdImageCharUp(im, font, x, y, (int) str[i], col);
+				gdImageCharUp(im, font, (int)x, (int)y, (int) str[i], col);
 				y -= font->w;
 			}
 			break;
diff --git a/ext/gd/tests/gh20622.phpt b/ext/gd/tests/gh20622.phpt
@@ -0,0 +1,13 @@
+--TEST--
+GH-20622 (imagestring/imagestringup overflow/underflow)
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$im = imagecreate(64, 64);
+imagestringup($im, 5, 0, -2147483648, 'STRINGUP', 0);
+imagestring($im, 5, -2147483648, 0, 'STRING', 0);
+echo "OK";
+?>
+--EXPECT--
+OK
