Dev news

Commit 9f654decdc1 for php.net

commit 9f654decdc12cad9575c6ebecb28adf0172e20bd
Author: David Carlier <devnexen@gmail.com>
Date:   Sat Nov 29 22:19:37 2025 +0000

    Fix GH-20622: imagestring/imagestringup overflow/underflow.

    close GH-20623

diff --git a/NEWS b/NEWS
index 8cb21eb94fb..d6b832917df 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.3.30

+- GD:
+  . Fixed bug GH-20622 (imagestring/imagestringup overflow). (David Carlier)
+

 18 Dec 2025, PHP 8.3.29

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 925d64f01c5..5efc8e4d52c 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -2763,7 +2763,8 @@ static void php_imagechar(INTERNAL_FUNCTION_PARAMETERS, int mode)
 	char *C;
 	size_t C_len;
 	gdImagePtr im;
-	int ch = 0, col, x, y, i, l = 0;
+	int ch = 0, col, i, l = 0;
+	unsigned int x, y;
 	unsigned char *str = NULL;
 	zend_object *font_obj = NULL;
 	zend_long font_int = 0;
@@ -2795,21 +2796,21 @@ static void php_imagechar(INTERNAL_FUNCTION_PARAMETERS, int mode)

 	switch (mode) {
 		case 0:
-			gdImageChar(im, font, x, y, ch, col);
+			gdImageChar(im, font, (int)x, (int)y, ch, col);
 			break;
 		case 1:
 			php_gdimagecharup(im, font, x, y, ch, col);
 			break;
 		case 2:
 			for (i = 0; (i < l); i++) {
-				gdImageChar(im, font, x, y, (int) ((unsigned char) str[i]), col);
+				gdImageChar(im, font, (int)x, (int)y, (int) ((unsigned char) str[i]), col);
 				x += font->w;
 			}
 			break;
 		case 3: {
 			for (i = 0; (i < l); i++) {
 				/* php_gdimagecharup(im, font, x, y, (int) str[i], col); */
-				gdImageCharUp(im, font, x, y, (int) str[i], col);
+				gdImageCharUp(im, font, (int)x, (int)y, (int) str[i], col);
 				y -= font->w;
 			}
 			break;
diff --git a/ext/gd/tests/gh20622.phpt b/ext/gd/tests/gh20622.phpt
new file mode 100644
index 00000000000..42109ddc13e
--- /dev/null
+++ b/ext/gd/tests/gh20622.phpt
@@ -0,0 +1,13 @@
+--TEST--
+GH-20622 (imagestring/imagestringup overflow/underflow)
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$im = imagecreate(64, 64);
+imagestringup($im, 5, 0, -2147483648, 'STRINGUP', 0);
+imagestring($im, 5, -2147483648, 0, 'STRING', 0);
+echo "OK";
+?>
+--EXPECT--
+OK