Avoid signed integer overflow in substr()

Perform negation after the (size_t) cast rather than before, so as to avoid a signed integer overflow for PHP_INT_MIN. Fixes oss-fuzz #31069.
2026-03-24 08:12:21 +01:00 · 2021-02-18 10:29:19 +01:00
parent 553a0c52b1
commit 85ffe8dcdc
2 changed files with 12 additions and 2 deletions
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -2177,7 +2177,7 @@ PHP_FUNCTION(substr)
 		/* if "from" position is negative, count start position from the end
 		 * of the string
 		 */
-		if ((size_t)-f > ZSTR_LEN(str)) {
+		if (-(size_t)f > ZSTR_LEN(str)) {
 			f = 0;
 		} else {
 			f = (zend_long)ZSTR_LEN(str) + f;
@@ -2191,7 +2191,7 @@ PHP_FUNCTION(substr)
 			/* if "length" position is negative, set it to the length
 			 * needed to stop that many chars from the end of the string
 			 */
-			if ((size_t)(-l) > ZSTR_LEN(str) - (size_t)f) {
+			if (-(size_t)l > ZSTR_LEN(str) - (size_t)f) {
 				l = 0;
 			} else {
 				l = (zend_long)ZSTR_LEN(str) - f + l;
--- a/ext/standard/tests/strings/substr_int_min.phpt
+++ b/ext/standard/tests/strings/substr_int_min.phpt
@@ -0,0 +1,10 @@
+--TEST--
+substr() with PHP_INT_MIN offset or length
+--FILE--
+<?php
+var_dump(substr('x', PHP_INT_MIN));
+var_dump(substr('x', 0, PHP_INT_MIN));
+?>
+--EXPECT--
+string(1) "x"
+string(0) ""