Merge branch 'PHP-5.6' into PHP-7.0

3 files changed, 33 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index f881d7fabc..36b01a3453 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2016 PHP 7.0.12
 
+- mbstring:
+  . Fixed bug #66797 (mb_substr only takes 32-bit signed integer). (cmb)
+
 - Standard:
   . Fixed bug #71882 (Negative ftruncate() on php://memory exhausts memory).
     (cmb)
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index 9968a1dc51..c9200b8ce5 100644
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -2923,6 +2923,13 @@ PHP_FUNCTION(mb_substr)
 		RETURN_FALSE;
 	}
 
+	if (from > INT_MAX) {
+		from = INT_MAX;
+	}
+	if (len > INT_MAX) {
+		len = INT_MAX;
+	}
+
 	ret = mbfl_substr(&string, &result, from, len);
 	if (NULL == ret) {
 		RETURN_FALSE;
diff --git a/ext/mbstring/tests/bug66797.phpt b/ext/mbstring/tests/bug66797.phpt
new file mode 100644
index 0000000000..df9e789be6
--- /dev/null
+++ b/ext/mbstring/tests/bug66797.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #66797 (mb_substr only takes 32-bit signed integer)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('skip mbstring extension not available');
+if (PHP_INT_SIZE != 8) die('skip this test is for 64bit platforms only');
+?>
+--FILE--
+<?php
+var_dump(
+    mb_substr('bar', 0, 0x7fffffff),
+    mb_substr('bar', 0, 0x80000000),
+    mb_substr('bar', 0xffffffff, 1),
+    mb_substr('bar', 0x100000000, 1)
+);
+?>
+==DONE==
+--EXPECTF--
+string(3) "bar"
+string(3) "bar"
+string(0) ""
+string(0) ""
+==DONE==