From 9f654decdc12cad9575c6ebecb28adf0172e20bd Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Sat, 29 Nov 2025 22:19:37 +0000
Subject: [PATCH 1/2] Fix GH-20622: imagestring/imagestringup
 overflow/underflow.

close GH-20623
---
 NEWS                      |  3 +++
 ext/gd/gd.c               |  9 +++++----
 ext/gd/tests/gh20622.phpt | 13 +++++++++++++
 3 files changed, 21 insertions(+), 4 deletions(-)
 create mode 100644 ext/gd/tests/gh20622.phpt

diff --git a/NEWS b/NEWS
index 8cb21eb94fb8..d6b832917dfd 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.3.30
 
+- GD:
+  . Fixed bug GH-20622 (imagestring/imagestringup overflow). (David Carlier)
+
 
 18 Dec 2025, PHP 8.3.29
 
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 925d64f01c5e..5efc8e4d52cd 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -2763,7 +2763,8 @@ static void php_imagechar(INTERNAL_FUNCTION_PARAMETERS, int mode)
 	char *C;
 	size_t C_len;
 	gdImagePtr im;
-	int ch = 0, col, x, y, i, l = 0;
+	int ch = 0, col, i, l = 0;
+	unsigned int x, y;
 	unsigned char *str = NULL;
 	zend_object *font_obj = NULL;
 	zend_long font_int = 0;
@@ -2795,21 +2796,21 @@ static void php_imagechar(INTERNAL_FUNCTION_PARAMETERS, int mode)
 
 	switch (mode) {
 		case 0:
-			gdImageChar(im, font, x, y, ch, col);
+			gdImageChar(im, font, (int)x, (int)y, ch, col);
 			break;
 		case 1:
 			php_gdimagecharup(im, font, x, y, ch, col);
 			break;
 		case 2:
 			for (i = 0; (i < l); i++) {
-				gdImageChar(im, font, x, y, (int) ((unsigned char) str[i]), col);
+				gdImageChar(im, font, (int)x, (int)y, (int) ((unsigned char) str[i]), col);
 				x += font->w;
 			}
 			break;
 		case 3: {
 			for (i = 0; (i < l); i++) {
 				/* php_gdimagecharup(im, font, x, y, (int) str[i], col); */
-				gdImageCharUp(im, font, x, y, (int) str[i], col);
+				gdImageCharUp(im, font, (int)x, (int)y, (int) str[i], col);
 				y -= font->w;
 			}
 			break;
diff --git a/ext/gd/tests/gh20622.phpt b/ext/gd/tests/gh20622.phpt
new file mode 100644
index 000000000000..42109ddc13e4
--- /dev/null
+++ b/ext/gd/tests/gh20622.phpt
@@ -0,0 +1,13 @@
+--TEST--
+GH-20622 (imagestring/imagestringup overflow/underflow)
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$im = imagecreate(64, 64);
+imagestringup($im, 5, 0, -2147483648, 'STRINGUP', 0);
+imagestring($im, 5, -2147483648, 0, 'STRING', 0);
+echo "OK";
+?>
+--EXPECT--
+OK

From e910bbf14404f55ec2e18a571a0f62c1e8e78c72 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Thu, 4 Dec 2025 23:25:29 +0000
Subject: [PATCH 2/2] ext/gd: fix build

---
 ext/gd/gd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 35c1b8b50a76..2456afa15c7a 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -2976,7 +2976,7 @@ static void php_imagechar(INTERNAL_FUNCTION_PARAMETERS, int mode)
 	zend_long X, Y, COL;
 	zend_string *C;
 	gdImagePtr im;
-	int ch = 0, col, i, l = 0;
+	int ch = 0, col, i;
 	unsigned int x, y;
 	size_t l = 0;
 	unsigned char *str = NULL;