Fix GH-20622: imagestring/imagestringup overflow/underflow.

close GH-20623

Author: devnexen

NEWS

@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.3.30
 
+- GD:
+  . Fixed bug GH-20622 (imagestring/imagestringup overflow). (David Carlier)
+
 
 18 Dec 2025, PHP 8.3.29
 

ext/gd/gd.c

@@ -2763,7 +2763,8 @@ static void php_imagechar(INTERNAL_FUNCTION_PARAMETERS, int mode)
 	char *C;
 	size_t C_len;
 	gdImagePtr im;
-	int ch = 0, col, x, y, i, l = 0;
+	int ch = 0, col, i, l = 0;
+	unsigned int x, y;
 	unsigned char *str = NULL;
 	zend_object *font_obj = NULL;
 	zend_long font_int = 0;
@@ -2795,21 +2796,21 @@ static void php_imagechar(INTERNAL_FUNCTION_PARAMETERS, int mode)
 
 	switch (mode) {
 		case 0:
-			gdImageChar(im, font, x, y, ch, col);
+			gdImageChar(im, font, (int)x, (int)y, ch, col);
 			break;
 		case 1:
 			php_gdimagecharup(im, font, x, y, ch, col);
 			break;
 		case 2:
 			for (i = 0; (i < l); i++) {
-				gdImageChar(im, font, x, y, (int) ((unsigned char) str[i]), col);
+				gdImageChar(im, font, (int)x, (int)y, (int) ((unsigned char) str[i]), col);
 				x += font->w;
 			}
 			break;
 		case 3: {
 			for (i = 0; (i < l); i++) {
 				/* php_gdimagecharup(im, font, x, y, (int) str[i], col); */
-				gdImageCharUp(im, font, x, y, (int) str[i], col);
+				gdImageCharUp(im, font, (int)x, (int)y, (int) str[i], col);
 				y -= font->w;
 			}
 			break;

ext/gd/tests/gh20622.phpt

@@ -0,0 +1,13 @@
+--TEST--
+GH-20622 (imagestring/imagestringup overflow/underflow)
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$im = imagecreate(64, 64);
+imagestringup($im, 5, 0, -2147483648, 'STRINGUP', 0);
+imagestring($im, 5, -2147483648, 0, 'STRING', 0);
+echo "OK";
+?>
+--EXPECT--
+OK