From 93865a40861b36c450ca9943c1c2ecc5d5b5b1ef Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Mon, 25 Aug 2025 06:41:45 +0100
Subject: [PATCH] Fix GH-19578: imagefilledellipse underflow on width argument.

close GH-19579
---
 NEWS                             |  4 ++++
 ext/gd/gd.c                      |  5 +++++
 ext/gd/tests/gh19578.phpt        | 27 +++++++++++++++++++++++++++
 ext/gd/tests/gh19578_32bits.phpt | 20 ++++++++++++++++++++
 4 files changed, 56 insertions(+)
 create mode 100644 ext/gd/tests/gh19578.phpt
 create mode 100644 ext/gd/tests/gh19578_32bits.phpt

diff --git a/NEWS b/NEWS
index 72c9157450b..8ccd0d45f1f 100644
--- a/NEWS
+++ b/NEWS
@@ -29,6 +29,10 @@ PHP                                                                        NEWS
 - FPM:
   . Fixed failed debug assertion when php_admin_value setting fails. (ilutov)
 
+- GD:
+  . Fixed bug GH-19579 (imagefilledellipse underflow on width argument).
+    (David Carlier)
+
 - OpenSSL:
   . Fixed bug GH-19245 (Success error message on TLS stream accept failure).
     (Jakub Zelenka)
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index cce2a5ca42f..44e46841062 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -832,6 +832,11 @@ PHP_FUNCTION(imagefilledellipse)
 		RETURN_THROWS();
 	}
 
+    if (w < 0 || ZEND_LONG_INT_OVFL(w)) {
+        zend_argument_value_error(4, "must be between 0 and %d", INT_MAX);
+        RETURN_THROWS();
+    }
+
 	im = php_gd_libgdimageptr_from_zval_p(IM);
 
 	gdImageFilledEllipse(im, cx, cy, w, h, color);
diff --git a/ext/gd/tests/gh19578.phpt b/ext/gd/tests/gh19578.phpt
new file mode 100644
index 00000000000..15d10f752d0
--- /dev/null
+++ b/ext/gd/tests/gh19578.phpt
@@ -0,0 +1,27 @@
+--TEST--
+GH-19578: imagefilledellipse underflow on width argument
+--EXTENSIONS--
+gd
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE != 8) die('skip this test is for 64bit platforms only');
+?>
+--FILE--
+<?php
+$src = imagecreatetruecolor(255, 255);
+
+try {
+    imagefilledellipse($src, 0, 0, PHP_INT_MAX, 254, 0);
+} catch (\ValueError $e) {
+    echo $e->getMessage(), PHP_EOL;
+}
+
+try {
+    imagefilledellipse($src, 0, 0, -16, 254, 0);
+} catch (\ValueError $e) {
+    echo $e->getMessage();
+}
+?>
+--EXPECTF--
+imagefilledellipse(): Argument #4 ($width) must be between 0 and %d
+imagefilledellipse(): Argument #4 ($width) must be between 0 and %d
diff --git a/ext/gd/tests/gh19578_32bits.phpt b/ext/gd/tests/gh19578_32bits.phpt
new file mode 100644
index 00000000000..2cb73a60987
--- /dev/null
+++ b/ext/gd/tests/gh19578_32bits.phpt
@@ -0,0 +1,20 @@
+--TEST--
+GH-19578: imagefilledellipse underflow on width argument
+--EXTENSIONS--
+gd
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE != 4) die('skip this test is for 32bit platforms only');
+?>
+--FILE--
+<?php
+$src = imagecreatetruecolor(255, 255);
+
+try {
+    imagefilledellipse($src, 0, 0, -16, 254, 0);
+} catch (\ValueError $e) {
+    echo $e->getMessage();
+}
+?>
+--EXPECTF--
+imagefilledellipse(): Argument #4 ($width) must be between 0 and %d