From 845b191f16af190fa48ee229c26fd11b510257b8 Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Mon, 29 Jun 2015 20:33:34 +0200
Subject: [PATCH] refix the negative zend_long to size_t casts

There is no good way to fix this for 32-bit without enormously
overcomplicating the logic. Therefore switching back to the previous
code and adding the casts to ensure there are no sudden casts of
negative to size_t.
---
 ext/standard/string.c | 27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 31d4e9f14d..8d9c94df16 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -2484,10 +2484,9 @@ PHP_FUNCTION(substr_replace)
 			 * of the string
 			 */
 			if (f < 0) {
-				if (-f > Z_STRLEN_P(str)) {
+				f = (zend_long)Z_STRLEN_P(str) + f;
+				if (f < 0) {
 					f = 0;
-				} else {
-					f = Z_STRLEN_P(str) + f;
 				}
 			} else if (f > Z_STRLEN_P(str)) {
 				f = Z_STRLEN_P(str);
@@ -2496,17 +2495,17 @@ PHP_FUNCTION(substr_replace)
 			 * needed to stop that many chars from the end of the string
 			 */
 			if (l < 0) {
-				l = (Z_STRLEN_P(str) - f) + l;
+				l = ((zend_long)Z_STRLEN_P(str) - f) + l;
 				if (l < 0) {
 					l = 0;
 				}
 			}
 
-			if (l > Z_STRLEN_P(str) || (l < 0 && -l > Z_STRLEN_P(str))) {
+			if (l > Z_STRLEN_P(str) || (l < 0 && (size_t)(-l) > Z_STRLEN_P(str))) {
 				l = Z_STRLEN_P(str);
 			}
 
-			if ((f + l) > Z_STRLEN_P(str)) {
+			if ((f + l) > (zend_long)Z_STRLEN_P(str)) {
 				l = Z_STRLEN_P(str) - f;
 			}
 			if (Z_TYPE_P(repl) == IS_ARRAY) {
@@ -2563,12 +2562,11 @@ PHP_FUNCTION(substr_replace)
 					f = zval_get_long(tmp_from);
 
 					if (f < 0) {
-						if (-f > orig_str->len) {
+						f = (zend_long)orig_str->len + f;
+						if (f < 0) {
 							f = 0;
-						} else {
-							f = orig_str->len + f;
 						}
-					} else if (f > orig_str->len) {
+					} else if (f > (zend_long)orig_str->len) {
 						f = orig_str->len;
 					}
 					from_idx++;
@@ -2578,12 +2576,11 @@ PHP_FUNCTION(substr_replace)
 			} else {
 				f = Z_LVAL_P(from);
 				if (f < 0) {
-					if (-f > orig_str->len) {
+					f = (zend_long)orig_str->len + f;
+					if (f < 0) {
 						f = 0;
-					} else {
-						f = orig_str->len + f;
 					}
-				} else if (f > orig_str->len) {
+				} else if (f > (zend_long)orig_str->len) {
 					f = orig_str->len;
 				}
 			}
@@ -2615,7 +2612,7 @@ PHP_FUNCTION(substr_replace)
 				}
 			}
 
-			if ((f + l) > orig_str->len) {
+			if ((f + l) > (zend_long)orig_str->len) {
 				l = orig_str->len - f;
 			}
 
-- 
2.40.0