Fix GH-19578: imagefilledellipse underflow on width argument.

close GH-19579

Author: devnexen

NEWS

@@ -29,6 +29,10 @@ PHP                                                                        NEWS
 - FPM:
   . Fixed failed debug assertion when php_admin_value setting fails. (ilutov)
 
+- GD:
+  . Fixed bug GH-19579 (imagefilledellipse underflow on width argument).
+    (David Carlier)
+
 - OpenSSL:
   . Fixed bug GH-19245 (Success error message on TLS stream accept failure).
     (Jakub Zelenka)

ext/gd/gd.c

@@ -832,6 +832,11 @@ PHP_FUNCTION(imagefilledellipse)
 		RETURN_THROWS();
 	}
 
+    if (w < 0 || ZEND_LONG_INT_OVFL(w)) {
+        zend_argument_value_error(4, "must be between 0 and %d", INT_MAX);
+        RETURN_THROWS();
+    }
+
 	im = php_gd_libgdimageptr_from_zval_p(IM);
 
 	gdImageFilledEllipse(im, cx, cy, w, h, color);

ext/gd/tests/gh19578.phpt

@@ -0,0 +1,27 @@
+--TEST--
+GH-19578: imagefilledellipse underflow on width argument
+--EXTENSIONS--
+gd
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE != 8) die('skip this test is for 64bit platforms only');
+?>
+--FILE--
+<?php
+$src = imagecreatetruecolor(255, 255);
+
+try {
+    imagefilledellipse($src, 0, 0, PHP_INT_MAX, 254, 0);
+} catch (\ValueError $e) {
+    echo $e->getMessage(), PHP_EOL;
+}
+
+try {
+    imagefilledellipse($src, 0, 0, -16, 254, 0);
+} catch (\ValueError $e) {
+    echo $e->getMessage();
+}
+?>
+--EXPECTF--
+imagefilledellipse(): Argument #4 ($width) must be between 0 and %d
+imagefilledellipse(): Argument #4 ($width) must be between 0 and %d

ext/gd/tests/gh19578_32bits.phpt

@@ -0,0 +1,20 @@
+--TEST--
+GH-19578: imagefilledellipse underflow on width argument
+--EXTENSIONS--
+gd
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE != 4) die('skip this test is for 32bit platforms only');
+?>
+--FILE--
+<?php
+$src = imagecreatetruecolor(255, 255);
+
+try {
+    imagefilledellipse($src, 0, 0, -16, 254, 0);
+} catch (\ValueError $e) {
+    echo $e->getMessage();
+}
+?>
+--EXPECTF--
+imagefilledellipse(): Argument #4 ($width) must be between 0 and %d