From ccd34f4ba3ee4f343254c04ef0df9c2f5653b922 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Fri, 21 Nov 2025 19:59:08 +0000 Subject: [PATCH 1/3] Fix GH-20551: imagegammacorrect out of range gamma value. --- ext/gd/gd.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ext/gd/gd.c b/ext/gd/gd.c index 2c3fce862eaea..45b4970a7a106 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -2293,6 +2293,11 @@ PHP_FUNCTION(imagegammacorrect) gamma = input / output; + if (UNEXPECTED(!zend_finite(gamma))) { + zend_value_error("An input divided by an output must be finite"); + RETURN_THROWS(); + } + im = php_gd_libgdimageptr_from_zval_p(IM); if (gdImageTrueColor(im)) { From 5d4095378edfe1fa5c554258f7213dd0db1bb9c6 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Fri, 21 Nov 2025 20:15:30 +0000 Subject: [PATCH 2/3] add test --- ext/gd/tests/gh20551.phpt | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 ext/gd/tests/gh20551.phpt diff --git a/ext/gd/tests/gh20551.phpt b/ext/gd/tests/gh20551.phpt new file mode 100644 index 0000000000000..9547d579eedd4 --- /dev/null +++ b/ext/gd/tests/gh20551.phpt @@ -0,0 +1,22 @@ +--TEST-- +GH-20551: (imagegammacorrect out of range input/output value) +--EXTENSIONS-- +gd +--FILE-- +getMessage(), PHP_EOL; +} +try { + imagegammacorrect($im, -NAN, 1.0); +} catch (\ValueError $e) { + echo $e->getMessage(), PHP_EOL; +} +?> +--EXPECT-- +An input divided by an output must be finite +An input divided by an output must be finite From 4aa79f02a56715056d91993a63ffb75d54438ebe Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 22 Nov 2025 21:46:38 +0000 Subject: [PATCH 3/3] feedback --- ext/gd/gd.c | 13 +++++++++---- ext/gd/tests/gh20551.phpt | 36 +++++++++++++++++++++++++----------- 2 files changed, 34 insertions(+), 15 deletions(-) diff --git a/ext/gd/gd.c b/ext/gd/gd.c index 45b4970a7a106..558d0764d666a 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -2286,18 +2286,23 @@ PHP_FUNCTION(imagegammacorrect) RETURN_THROWS(); } + if (!zend_finite(input)) { + zend_argument_value_error(2, "must be finite"); + RETURN_THROWS(); + } + if (output <= 0.0) { zend_argument_value_error(3, "must be greater than 0"); RETURN_THROWS(); } - gamma = input / output; - - if (UNEXPECTED(!zend_finite(gamma))) { - zend_value_error("An input divided by an output must be finite"); + if (!zend_finite(output)) { + zend_argument_value_error(3, "must be finite"); RETURN_THROWS(); } + gamma = input / output; + im = php_gd_libgdimageptr_from_zval_p(IM); if (gdImageTrueColor(im)) { diff --git a/ext/gd/tests/gh20551.phpt b/ext/gd/tests/gh20551.phpt index 9547d579eedd4..32ca50ca5f626 100644 --- a/ext/gd/tests/gh20551.phpt +++ b/ext/gd/tests/gh20551.phpt @@ -6,17 +6,31 @@ gd getMessage(), PHP_EOL; -} -try { - imagegammacorrect($im, -NAN, 1.0); -} catch (\ValueError $e) { - echo $e->getMessage(), PHP_EOL; +$gammas = [ + [NAN, 1.0], + [-NAN, 1.0], + [INF, 1.0], + [-INF, 1.0], + [1.0, NAN], + [1.0, -NAN], + [1.0, INF], + [1.0, -INF], +]; + +foreach ($gammas as $gamma) { + try { + imagegammacorrect($im, $gamma[0], $gamma[1]); + } catch (\ValueError $e) { + echo $e->getMessage(), PHP_EOL; + } } ?> --EXPECT-- -An input divided by an output must be finite -An input divided by an output must be finite +imagegammacorrect(): Argument #2 ($input_gamma) must be finite +imagegammacorrect(): Argument #2 ($input_gamma) must be finite +imagegammacorrect(): Argument #2 ($input_gamma) must be finite +imagegammacorrect(): Argument #2 ($input_gamma) must be greater than 0 +imagegammacorrect(): Argument #3 ($output_gamma) must be finite +imagegammacorrect(): Argument #3 ($output_gamma) must be finite +imagegammacorrect(): Argument #3 ($output_gamma) must be finite +imagegammacorrect(): Argument #3 ($output_gamma) must be greater than 0