From f88d247ce26f11b6efb4aa95e44b79892fc99593 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Fri, 21 Nov 2025 19:59:08 +0000
Subject: [PATCH] Fix GH-20551: imagegammacorrect out of range gamma value.

close GH-20552
---
 NEWS                      |  4 ++++
 ext/gd/gd.c               | 10 ++++++++++
 ext/gd/tests/gh20551.phpt | 36 ++++++++++++++++++++++++++++++++++++
 3 files changed, 50 insertions(+)
 create mode 100644 ext/gd/tests/gh20551.phpt

diff --git a/NEWS b/NEWS
index ad27dba473a..b04792c07f8 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI
     small value). (David Carlier)
 
+- GD:
+  . Fixed bug GH-20511 (imagegammacorrect out of range input/output values).
+    (David Carlier)
+
 - LibXML:
   . Fix some deprecations on newer libxml versions regarding input
     buffer/parser handling. (ndossche)
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 2c3fce862ea..558d0764d66 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -2286,11 +2286,21 @@ PHP_FUNCTION(imagegammacorrect)
 		RETURN_THROWS();
 	}
 
+	if (!zend_finite(input)) {
+		zend_argument_value_error(2, "must be finite");
+		RETURN_THROWS();
+	}
+
 	if (output <= 0.0) {
 		zend_argument_value_error(3, "must be greater than 0");
 		RETURN_THROWS();
 	}
 
+	if (!zend_finite(output)) {
+		zend_argument_value_error(3, "must be finite");
+		RETURN_THROWS();
+	}
+
 	gamma = input / output;
 
 	im = php_gd_libgdimageptr_from_zval_p(IM);
diff --git a/ext/gd/tests/gh20551.phpt b/ext/gd/tests/gh20551.phpt
new file mode 100644
index 00000000000..32ca50ca5f6
--- /dev/null
+++ b/ext/gd/tests/gh20551.phpt
@@ -0,0 +1,36 @@
+--TEST--
+GH-20551: (imagegammacorrect out of range input/output value)
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$im = imagecreate(64, 32);
+
+$gammas = [
+	[NAN, 1.0],
+	[-NAN, 1.0],
+	[INF, 1.0],
+	[-INF, 1.0],
+	[1.0, NAN],
+	[1.0, -NAN],
+	[1.0, INF],
+	[1.0, -INF],
+];
+
+foreach ($gammas as $gamma) {
+	try {
+		imagegammacorrect($im, $gamma[0], $gamma[1]);
+	} catch (\ValueError $e) {
+		echo $e->getMessage(), PHP_EOL;
+	}
+}
+?>
+--EXPECT--
+imagegammacorrect(): Argument #2 ($input_gamma) must be finite
+imagegammacorrect(): Argument #2 ($input_gamma) must be finite
+imagegammacorrect(): Argument #2 ($input_gamma) must be finite
+imagegammacorrect(): Argument #2 ($input_gamma) must be greater than 0
+imagegammacorrect(): Argument #3 ($output_gamma) must be finite
+imagegammacorrect(): Argument #3 ($output_gamma) must be finite
+imagegammacorrect(): Argument #3 ($output_gamma) must be finite
+imagegammacorrect(): Argument #3 ($output_gamma) must be greater than 0