From d2e3f5785d7527cee9d6860c23a96216e7cb922f Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 14 Jul 2021 17:20:51 +0200
Subject: [PATCH] Fix #72146: Integer overflow on substr_replace

Adding two `zend_long`s may overflow, and casting `size_t` to
`zend_long` may truncate; we can avoid this here by enforcing unsigned
arithmetic.
---
 ext/standard/string.c                    |  4 +++-
 ext/standard/tests/strings/bug72146.phpt | 11 +++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 ext/standard/tests/strings/bug72146.phpt

diff --git a/ext/standard/string.c b/ext/standard/string.c
index e2f18b373bded..825d1b7fe4378 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -2664,7 +2664,9 @@ PHP_FUNCTION(substr_replace)
 				}
 			}
 
-			if ((f + l) > (zend_long)ZSTR_LEN(orig_str)) {
+			ZEND_ASSERT(0 <= f && f <= ZEND_LONG_MAX);
+			ZEND_ASSERT(0 <= l && l <= ZEND_LONG_MAX);
+			if (((size_t) f + l) > ZSTR_LEN(orig_str)) {
 				l = ZSTR_LEN(orig_str) - f;
 			}
 
diff --git a/ext/standard/tests/strings/bug72146.phpt b/ext/standard/tests/strings/bug72146.phpt
new file mode 100644
index 0000000000000..72b332570ff2e
--- /dev/null
+++ b/ext/standard/tests/strings/bug72146.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #72146 (Integer overflow on substr_replace)
+--FILE--
+<?php 
+var_dump(substr_replace(["ABCDE"], "123", 3, PHP_INT_MAX));
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(6) "ABC123"
+}