From 4c968c6ddd2d3eb46838db153264edf5c7b3fefa Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 14 Jun 2016 01:03:03 -0700
Subject: [PATCH] Fix bug #72138 - Integer Overflow in Length of String-typed
 ZVAL

---
 NEWS                  | 3 +++
 ext/standard/string.c | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/NEWS b/NEWS
index 37907b393f..3b0153bac2 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2016, PHP 5.6.24
 
+- Core:
+  . Fix bug #72138 (Integer Overflow in Length of String-typed ZVAL). (Stas)
+
 - OpenSSL:
   . Fixed bug #71915 (openssl_random_pseudo_bytes is not fork-safe).
     (Jakub Zelenka)
diff --git a/ext/standard/string.c b/ext/standard/string.c
index d5f83e7d0f..fa7094510c 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -3624,6 +3624,9 @@ PHPAPI int php_char_to_str_ex(char *str, uint len, char from, char *to, int to_l
 	}
 
 	Z_STRLEN_P(result) = len + (char_count * (to_len - 1));
+	if (Z_STRLEN_P(result) < 0) {
+		zend_error(E_ERROR, "String size overflow");
+	}
 	Z_STRVAL_P(result) = target = safe_emalloc(char_count, to_len, len + 1);
 	Z_TYPE_P(result) = IS_STRING;
 
-- 
2.40.0