From 7bc5355b07125968d61e51363557898be4d0da93 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Fri, 4 Apr 2025 06:55:59 +0100
Subject: [PATCH 1/4] Fixed GH-18243: imagettftext underflow/overflow on size
 argument.

---
 ext/gd/gd.c               |  6 ++++++
 ext/gd/tests/gh18243.phpt | 24 ++++++++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 ext/gd/tests/gh18243.phpt

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index ae03b602cdc5b..4d4e08e2030bb 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -3082,6 +3082,12 @@ static void php_imagettftext_common(INTERNAL_FUNCTION_PARAMETERS, int mode)
 		im = php_gd_libgdimageptr_from_zval_p(IM);
 	}
 
+	// FT_F26Dot6 is a signed long alias
+	if (ptsize < (double)LONG_MIN / 64 || ptsize > (double)LONG_MAX / 64) {
+		zend_argument_value_error(2, "must be between " ZEND_LONG_FMT " and " ZEND_LONG_FMT, (zend_long)(LONG_MIN / 64), (zend_long)(LONG_MAX / 64));
+		RETURN_THROWS();
+	}
+
 	/* convert angle to radians */
 	angle = angle * (M_PI/180);
 
diff --git a/ext/gd/tests/gh18243.phpt b/ext/gd/tests/gh18243.phpt
new file mode 100644
index 0000000000000..845f8101b5c8a
--- /dev/null
+++ b/ext/gd/tests/gh18243.phpt
@@ -0,0 +1,24 @@
+--TEST--
+GH-17984: array of references handling
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$font = __DIR__.'/Rochester-Regular.otf';
+$im = imagecreatetruecolor(100, 80);
+
+try {
+	imagettftext($im, PHP_INT_MAX, 0, 15, 60, 0, $font, "");
+} catch (\ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+
+try {
+	imagettftext($im, PHP_INT_MIN, 0, 15, 60, 0, $font, "");
+} catch (\ValueError $e) {
+	echo $e->getMessage();
+}
+?>
+--EXPECTF--
+imagettftext(): Argument #2 ($size) must be between %i and %d
+imagettftext(): Argument #2 ($size) must be between %i and %d

From b166b88d8deaddcbddb0d9e788ba61f58d12c02f Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Fri, 4 Apr 2025 07:02:26 +0100
Subject: [PATCH 2/4] fix test title

---
 ext/gd/tests/gh18243.phpt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/gd/tests/gh18243.phpt b/ext/gd/tests/gh18243.phpt
index 845f8101b5c8a..fd47fc4a1a61d 100644
--- a/ext/gd/tests/gh18243.phpt
+++ b/ext/gd/tests/gh18243.phpt
@@ -1,5 +1,5 @@
 --TEST--
-GH-17984: array of references handling
+GH-18243: imagefttext underflow/overflow on $size
 --EXTENSIONS--
 gd
 --FILE--

From eed1f3825094c1445bc3c1ee7bce05c7b87200a7 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Sat, 5 Apr 2025 00:28:33 +0100
Subject: [PATCH 3/4] changes from review

---
 ext/gd/gd.c               | 2 +-
 ext/gd/tests/gh18243.phpt | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 4d4e08e2030bb..3d3e4ea8a8973 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -3084,7 +3084,7 @@ static void php_imagettftext_common(INTERNAL_FUNCTION_PARAMETERS, int mode)
 
 	// FT_F26Dot6 is a signed long alias
 	if (ptsize < (double)LONG_MIN / 64 || ptsize > (double)LONG_MAX / 64) {
-		zend_argument_value_error(2, "must be between " ZEND_LONG_FMT " and " ZEND_LONG_FMT, (zend_long)(LONG_MIN / 64), (zend_long)(LONG_MAX / 64));
+		zend_argument_value_error(2, "must be between " ZEND_LONG_FMT " and " ZEND_LONG_FMT, (zend_long)((double)LONG_MIN / 64), (zend_long)((double)LONG_MAX / 64));
 		RETURN_THROWS();
 	}
 
diff --git a/ext/gd/tests/gh18243.phpt b/ext/gd/tests/gh18243.phpt
index fd47fc4a1a61d..b7d1e7cc8068f 100644
--- a/ext/gd/tests/gh18243.phpt
+++ b/ext/gd/tests/gh18243.phpt
@@ -2,6 +2,10 @@
 GH-18243: imagefttext underflow/overflow on $size
 --EXTENSIONS--
 gd
+--SKIPIF--
+<?php
+if(!function_exists('imagettftext')) die('skip imagettftext() not available');
+?>
 --FILE--
 <?php
 $font = __DIR__.'/Rochester-Regular.otf';

From 1394f754706543c0ecbebaab61e8b3b044775afe Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Sat, 5 Apr 2025 14:07:10 +0100
Subject: [PATCH 4/4] taking in account INF/NAN

---
 ext/gd/gd.c               |  5 +++++
 ext/gd/tests/gh18243.phpt | 14 ++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 3d3e4ea8a8973..6b727a211189a 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -3088,6 +3088,11 @@ static void php_imagettftext_common(INTERNAL_FUNCTION_PARAMETERS, int mode)
 		RETURN_THROWS();
 	}
 
+	if (UNEXPECTED(!zend_finite(ptsize))) {
+		zend_argument_value_error(2, "must be finite");
+		RETURN_THROWS();
+	}
+
 	/* convert angle to radians */
 	angle = angle * (M_PI/180);
 
diff --git a/ext/gd/tests/gh18243.phpt b/ext/gd/tests/gh18243.phpt
index b7d1e7cc8068f..3235098a3dcc2 100644
--- a/ext/gd/tests/gh18243.phpt
+++ b/ext/gd/tests/gh18243.phpt
@@ -19,6 +19,18 @@ try {
 
 try {
 	imagettftext($im, PHP_INT_MIN, 0, 15, 60, 0, $font, "");
+} catch (\ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+
+try {
+	imagettftext($im, NAN, 0, 15, 60, 0, $font, "");
+} catch (\ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+
+try {
+	imagettftext($im, INF, 0, 15, 60, 0, $font, "");
 } catch (\ValueError $e) {
 	echo $e->getMessage();
 }
@@ -26,3 +38,5 @@ try {
 --EXPECTF--
 imagettftext(): Argument #2 ($size) must be between %i and %d
 imagettftext(): Argument #2 ($size) must be between %i and %d
+imagettftext(): Argument #2 ($size) must be finite
+imagettftext(): Argument #2 ($size) must be between %i and %d