From de643ead3ec0fe256d2b71649ba7d9c84e2e2102 Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Tue, 5 Jul 2016 12:09:22 +0200
Subject: [PATCH] re-add range check

---
 ext/intl/uchar/uchar.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/ext/intl/uchar/uchar.c b/ext/intl/uchar/uchar.c
index abb3e59671..a7e5c17340 100644
--- a/ext/intl/uchar/uchar.c
+++ b/ext/intl/uchar/uchar.c
@@ -8,12 +8,21 @@
 
 static inline int convert_cp(UChar32* pcp, zval *zcp) {
 	zend_long cp = -1;
+
 	if (Z_TYPE_P(zcp) == IS_LONG) {
 		cp = Z_LVAL_P(zcp);
 	} else if (Z_TYPE_P(zcp) == IS_STRING) {
-		size_t i = 0;
-		U8_NEXT(Z_STRVAL_P(zcp), i, Z_STRLEN_P(zcp), cp);
-		if (i != Z_STRLEN_P(zcp)) {
+		int32_t i = 0;
+		size_t zcp_len = Z_STRLEN_P(zcp);
+
+		if (ZEND_SIZE_T_INT_OVFL(zcp_len)) {
+			intl_error_set_code(NULL, U_ILLEGAL_ARGUMENT_ERROR);
+			intl_error_set_custom_msg(NULL, "Input string is too long.", 0);
+			return FAILURE;
+		}
+
+		U8_NEXT(Z_STRVAL_P(zcp), i, zcp_len, cp);
+		if ((size_t)i != zcp_len) {
 			intl_error_set_code(NULL, U_ILLEGAL_ARGUMENT_ERROR);
 			intl_error_set_custom_msg(NULL, "Passing a UTF-8 character for codepoint requires a string which is exactly one UTF-8 codepoint long.", 0);
 			return FAILURE;
-- 
2.40.0