From f88d247ce26f11b6efb4aa95e44b79892fc99593 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Fri, 21 Nov 2025 19:59:08 +0000
Subject: [PATCH 1/3] Fix GH-20551: imagegammacorrect out of range gamma value.

close GH-20552
---
 NEWS                      |  4 ++++
 ext/gd/gd.c               | 10 ++++++++++
 ext/gd/tests/gh20551.phpt | 36 ++++++++++++++++++++++++++++++++++++
 3 files changed, 50 insertions(+)
 create mode 100644 ext/gd/tests/gh20551.phpt

diff --git a/NEWS b/NEWS
index ad27dba473a26..b04792c07f8a8 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI
     small value). (David Carlier)
 
+- GD:
+  . Fixed bug GH-20511 (imagegammacorrect out of range input/output values).
+    (David Carlier)
+
 - LibXML:
   . Fix some deprecations on newer libxml versions regarding input
     buffer/parser handling. (ndossche)
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 2c3fce862eaea..558d0764d666a 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -2286,11 +2286,21 @@ PHP_FUNCTION(imagegammacorrect)
 		RETURN_THROWS();
 	}
 
+	if (!zend_finite(input)) {
+		zend_argument_value_error(2, "must be finite");
+		RETURN_THROWS();
+	}
+
 	if (output <= 0.0) {
 		zend_argument_value_error(3, "must be greater than 0");
 		RETURN_THROWS();
 	}
 
+	if (!zend_finite(output)) {
+		zend_argument_value_error(3, "must be finite");
+		RETURN_THROWS();
+	}
+
 	gamma = input / output;
 
 	im = php_gd_libgdimageptr_from_zval_p(IM);
diff --git a/ext/gd/tests/gh20551.phpt b/ext/gd/tests/gh20551.phpt
new file mode 100644
index 0000000000000..32ca50ca5f626
--- /dev/null
+++ b/ext/gd/tests/gh20551.phpt
@@ -0,0 +1,36 @@
+--TEST--
+GH-20551: (imagegammacorrect out of range input/output value)
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$im = imagecreate(64, 32);
+
+$gammas = [
+	[NAN, 1.0],
+	[-NAN, 1.0],
+	[INF, 1.0],
+	[-INF, 1.0],
+	[1.0, NAN],
+	[1.0, -NAN],
+	[1.0, INF],
+	[1.0, -INF],
+];
+
+foreach ($gammas as $gamma) {
+	try {
+		imagegammacorrect($im, $gamma[0], $gamma[1]);
+	} catch (\ValueError $e) {
+		echo $e->getMessage(), PHP_EOL;
+	}
+}
+?>
+--EXPECT--
+imagegammacorrect(): Argument #2 ($input_gamma) must be finite
+imagegammacorrect(): Argument #2 ($input_gamma) must be finite
+imagegammacorrect(): Argument #2 ($input_gamma) must be finite
+imagegammacorrect(): Argument #2 ($input_gamma) must be greater than 0
+imagegammacorrect(): Argument #3 ($output_gamma) must be finite
+imagegammacorrect(): Argument #3 ($output_gamma) must be finite
+imagegammacorrect(): Argument #3 ($output_gamma) must be finite
+imagegammacorrect(): Argument #3 ($output_gamma) must be greater than 0

From 9149c3551434d48220d452ea42438d4cb49b7c89 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Sat, 22 Nov 2025 06:03:41 +0000
Subject: [PATCH 2/3] Fix GH-20554: php_cli_server() get http status as string
 build issue.

due to the signature of this helper it needs to be const also
bsearch key argument needs to be too.

close GH-20556
---
 sapi/cli/php_cli_server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c
index 8d67fb2864c6d..df01d3df91137 100644
--- a/sapi/cli/php_cli_server.c
+++ b/sapi/cli/php_cli_server.c
@@ -304,7 +304,7 @@ static int status_comp(const void *a, const void *b) /* {{{ */
 
 static const char *get_status_string(int code) /* {{{ */
 {
-	http_response_status_code_pair needle = {code, NULL},
+	const http_response_status_code_pair needle = {code, NULL},
 		*result = NULL;
 
 	result = bsearch(&needle, http_status_map, http_status_map_len, sizeof(needle), status_comp);

From 178776569620b64cee308211dd4329e8f08d7e76 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Sat, 22 Nov 2025 11:05:39 +0000
Subject: [PATCH 3/3] Fix GH-20546: Zend preserve_none attribute config check
 on macOs issue.

This attribute fails on macOs due to the inline assembly test.
Due to an old Darwin C ABI convention, symbols are prefixed with an
underscore so we need to take in account also for x86_64.

close GH-20559
---
 NEWS         |  2 ++
 Zend/Zend.m4 | 10 +++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index b6efe0d85e51d..cf93f7af6561b 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ PHP                                                                        NEWS
   . Sync all boost.context files with release 1.86.0. (mvorisek)
   . Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument
     passing to variadic parameter). (ndossche)
+  . Fixed bug GH-20546 (preserve_none attribute configure check on macOs
+    issue). (David Carlier/cho-m)
 
 - Bz2:
   . Fix assertion failures resulting in crashes with stream filter
diff --git a/Zend/Zend.m4 b/Zend/Zend.m4
index 1e1853167cfe3..33009e9909f5a 100644
--- a/Zend/Zend.m4
+++ b/Zend/Zend.m4
@@ -474,7 +474,7 @@ dnl expectations.
 dnl
 AC_DEFUN([ZEND_CHECK_PRESERVE_NONE], [dnl
   AC_CACHE_CHECK([for preserve_none calling convention],
-   [php_cv_preverve_none],
+   [php_cv_preserve_none],
    [AC_RUN_IFELSE([AC_LANG_SOURCE([[
 #include <stdio.h>
 #include <stdint.h>
@@ -504,7 +504,11 @@ uintptr_t __attribute__((preserve_none)) test(void) {
 		"movq %2, %%r13\n"
 		"xorq %3, %%r13\n"
 		"xorq %%rax, %%rax\n"
+#if defined(__APPLE__)
+		"call _fun\n"
+#else
 		"call fun\n"
+#endif
 		: "=a" (ret)
 		: "r" (const1), "r" (const2), "r" (key)
 		: "r12", "r13"
@@ -515,7 +519,11 @@ uintptr_t __attribute__((preserve_none)) test(void) {
 		"eor    x20, %1, %3\n"
 		"eor    x21, %2, %3\n"
 		"eor    x0, x0, x0\n"
+#if defined(__APPLE__)
+		"bl     _fun\n"
+#else
 		"bl     fun\n"
+#endif
 		"mov    %0, x0\n"
 		: "=r" (ret)
 		: "r" (const1), "r" (const2), "r" (key)