diff --git a/NEWS b/NEWS index a9d339042f4..783e476f025 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 8.4.17 +- GD: + . Fixed bug GH-20622 (imagestring/imagestringup overflow). (David Carlier) + 18 Dec 2025, PHP 8.4.16 diff --git a/ext/gd/gd.c b/ext/gd/gd.c index 497407d5a12..16e871f6bc3 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -3023,7 +3023,8 @@ static void php_imagechar(INTERNAL_FUNCTION_PARAMETERS, int mode) zend_long X, Y, COL; zend_string *C; gdImagePtr im; - int ch = 0, col, x, y, i, l = 0; + int ch = 0, col, i, l = 0; + unsigned int x, y; unsigned char *str = NULL; zend_object *font_obj = NULL; zend_long font_int = 0; @@ -3055,21 +3056,21 @@ static void php_imagechar(INTERNAL_FUNCTION_PARAMETERS, int mode) switch (mode) { case 0: - gdImageChar(im, font, x, y, ch, col); + gdImageChar(im, font, (int)x, (int)y, ch, col); break; case 1: php_gdimagecharup(im, font, x, y, ch, col); break; case 2: for (i = 0; (i < l); i++) { - gdImageChar(im, font, x, y, (int) ((unsigned char) str[i]), col); + gdImageChar(im, font, (int)x, (int)y, (int) ((unsigned char) str[i]), col); x += font->w; } break; case 3: { for (i = 0; (i < l); i++) { /* php_gdimagecharup(im, font, x, y, (int) str[i], col); */ - gdImageCharUp(im, font, x, y, (int) str[i], col); + gdImageCharUp(im, font, (int)x, (int)y, (int) str[i], col); y -= font->w; } break; diff --git a/ext/gd/tests/gh20622.phpt b/ext/gd/tests/gh20622.phpt new file mode 100644 index 00000000000..42109ddc13e --- /dev/null +++ b/ext/gd/tests/gh20622.phpt @@ -0,0 +1,13 @@ +--TEST-- +GH-20622 (imagestring/imagestringup overflow/underflow) +--EXTENSIONS-- +gd +--FILE-- + +--EXPECT-- +OK