Avoid signed integer overflow in substr()

Perform negation after the (size_t) cast rather than before,
so as to avoid a signed integer overflow for PHP_INT_MIN.

Fixes oss-fuzz #31069.

2 files changed, 12 insertions, 2 deletions

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 8d0754347a..cf77435f80 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -2177,7 +2177,7 @@ PHP_FUNCTION(substr)
 		/* if "from" position is negative, count start position from the end
 		 * of the string
 		 */
-		if ((size_t)-f > ZSTR_LEN(str)) {
+		if (-(size_t)f > ZSTR_LEN(str)) {
 			f = 0;
 		} else {
 			f = (zend_long)ZSTR_LEN(str) + f;
@@ -2191,7 +2191,7 @@ PHP_FUNCTION(substr)
 			/* if "length" position is negative, set it to the length
 			 * needed to stop that many chars from the end of the string
 			 */
-			if ((size_t)(-l) > ZSTR_LEN(str) - (size_t)f) {
+			if (-(size_t)l > ZSTR_LEN(str) - (size_t)f) {
 				l = 0;
 			} else {
 				l = (zend_long)ZSTR_LEN(str) - f + l;
diff --git a/ext/standard/tests/strings/substr_int_min.phpt b/ext/standard/tests/strings/substr_int_min.phpt
new file mode 100644
index 0000000000..4c00577e28
--- /dev/null
+++ b/ext/standard/tests/strings/substr_int_min.phpt
@@ -0,0 +1,10 @@
+--TEST--
+substr() with PHP_INT_MIN offset or length
+--FILE--
+<?php
+var_dump(substr('x', PHP_INT_MIN));
+var_dump(substr('x', 0, PHP_INT_MIN));
+?>
+--EXPECT--
+string(1) "x"
+string(0) ""