Avoid signed integer overflow in string offset check

Cast to size_t before performing operations instead of afterwards.

2 files changed, 17 insertions, 1 deletions

diff --git a/Zend/tests/string_offset_int_min_max.phpt b/Zend/tests/string_offset_int_min_max.phpt
new file mode 100644
index 0000000000..b8bd4bcd6b
--- /dev/null
+++ b/Zend/tests/string_offset_int_min_max.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Accessing PHP_INT_MAX and PHP_INT_MIN as string offsets
+--FILE--
+<?php
+
+$str = "";
+var_dump($str[PHP_INT_MAX]);
+var_dump($str[PHP_INT_MIN]);
+
+?>
+--EXPECTF--
+Notice: Uninitialized string offset: %d in %s on line %d
+string(0) ""
+
+Notice: Uninitialized string offset: -%d in %s on line %d
+string(0) ""
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 3b980e8776..9ae73caae1 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -2369,7 +2369,7 @@ try_string_offset:
 			offset = Z_LVAL_P(dim);
 		}
 
-		if (UNEXPECTED(Z_STRLEN_P(container) < (size_t)((offset < 0) ? -offset : (offset + 1)))) {
+		if (UNEXPECTED(Z_STRLEN_P(container) < ((offset < 0) ? -(size_t)offset : ((size_t)offset + 1)))) {
 			if (type != BP_VAR_IS) {
 				zend_error(E_NOTICE, "Uninitialized string offset: " ZEND_LONG_FMT, offset);
 				ZVAL_EMPTY_STRING(result);