refix the negative zend_long to size_t casts

There is no good way to fix this for 32-bit without enormously
overcomplicating the logic. Therefore switching back to the previous
code and adding the casts to ensure there are no sudden casts of
negative to size_t.

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 31d4e9f14d6daa2b8f7403169558a0cae6eb97fe..8d9c94df163524875d78613ab3e4d522ba52d6bc 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -2484,10 +2484,9 @@ PHP_FUNCTION(substr_replace)
                         * of the string
                         */
                        if (f < 0) {
-                               if (-f > Z_STRLEN_P(str)) {
+                               f = (zend_long)Z_STRLEN_P(str) + f;
+                               if (f < 0) {
                                        f = 0;
-                               } else {
-                                       f = Z_STRLEN_P(str) + f;
                                }
                        } else if (f > Z_STRLEN_P(str)) {
                                f = Z_STRLEN_P(str);
@@ -2496,17 +2495,17 @@ PHP_FUNCTION(substr_replace)
                         * needed to stop that many chars from the end of the string
                         */
                        if (l < 0) {
-                               l = (Z_STRLEN_P(str) - f) + l;
+                               l = ((zend_long)Z_STRLEN_P(str) - f) + l;
                                if (l < 0) {
                                        l = 0;
                                }
                        }
 
-                       if (l > Z_STRLEN_P(str) || (l < 0 && -l > Z_STRLEN_P(str))) {
+                       if (l > Z_STRLEN_P(str) || (l < 0 && (size_t)(-l) > Z_STRLEN_P(str))) {
                                l = Z_STRLEN_P(str);
                        }
 
-                       if ((f + l) > Z_STRLEN_P(str)) {
+                       if ((f + l) > (zend_long)Z_STRLEN_P(str)) {
                                l = Z_STRLEN_P(str) - f;
                        }
                        if (Z_TYPE_P(repl) == IS_ARRAY) {
@@ -2563,12 +2562,11 @@ PHP_FUNCTION(substr_replace)
                                        f = zval_get_long(tmp_from);
 
                                        if (f < 0) {
-                                               if (-f > orig_str->len) {
+                                               f = (zend_long)orig_str->len + f;
+                                               if (f < 0) {
                                                        f = 0;
-                                               } else {
-                                                       f = orig_str->len + f;
                                                }
-                                       } else if (f > orig_str->len) {
+                                       } else if (f > (zend_long)orig_str->len) {
                                                f = orig_str->len;
                                        }
                                        from_idx++;
@@ -2578,12 +2576,11 @@ PHP_FUNCTION(substr_replace)
                        } else {
                                f = Z_LVAL_P(from);
                                if (f < 0) {
-                                       if (-f > orig_str->len) {
+                                       f = (zend_long)orig_str->len + f;
+                                       if (f < 0) {
                                                f = 0;
-                                       } else {
-                                               f = orig_str->len + f;
                                        }
-                               } else if (f > orig_str->len) {
+                               } else if (f > (zend_long)orig_str->len) {
                                        f = orig_str->len;
                                }
                        }
@@ -2615,7 +2612,7 @@ PHP_FUNCTION(substr_replace)
                                }
                        }
 
-                       if ((f + l) > orig_str->len) {
+                       if ((f + l) > (zend_long)orig_str->len) {
                                l = orig_str->len - f;
                        }