From 6dba1330ce41a887bac9136d604de766ceae81fa Mon Sep 17 00:00:00 2001
From: fuzzsave <0599jiangyc@gmail.com>
Date: Tue, 13 Jan 2026 17:04:54 +0530
Subject: [PATCH 1/5] =?UTF-8?q?=1B[200~Fix=20signed=20integer=20overflow?=
 =?UTF-8?q?=20in=20memory=20stream=20seek?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 main/streams/memory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main/streams/memory.c b/main/streams/memory.c
index 2f411ff8e8c9c..6ba0e7a723898 100644
--- a/main/streams/memory.c
+++ b/main/streams/memory.c
@@ -165,7 +165,7 @@ static int php_stream_memory_seek(php_stream *stream, zend_off_t offset, int whe
 				stream->eof = 0;
 				stream->fatal_error = 0;
 				return 0;
-			} else if (ZSTR_LEN(ms->data) < (size_t)(-offset)) {
+			} else if (ZSTR_LEN(ms->data) < (size_t)(-(zend_ulong)offset)) {
 				ms->fpos = 0;
 				*newoffs = -1;
 				return -1;

From c781fade9a47f33054fa78590b1be3dd6072f5a4 Mon Sep 17 00:00:00 2001
From: fuzzsave <0599jiangyc@gmail.com>
Date: Tue, 13 Jan 2026 17:15:05 +0530
Subject: [PATCH 2/5] Fix signed integer overflow in memory stream seek

---
 ext/spl/tests/SplFileObject/bug20921.phpt | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 ext/spl/tests/SplFileObject/bug20921.phpt

diff --git a/ext/spl/tests/SplFileObject/bug20921.phpt b/ext/spl/tests/SplFileObject/bug20921.phpt
new file mode 100644
index 0000000000000..c12976128c85a
--- /dev/null
+++ b/ext/spl/tests/SplFileObject/bug20921.phpt
@@ -0,0 +1,10 @@
+--TEST--
+memory stream seek edge case: PHP_INT_MIN with SEEK_END
+--FILE--
+<?php
+$cls = new SplTempFileObject();
+$fusion = $cls;
+
+var_dump($fusion->fseek(PHP_INT_MIN, SEEK_END));
+--EXPECT--
+int(-1)

From d787e91f35acc02d38eda63a7fc0e51a00a61043 Mon Sep 17 00:00:00 2001
From: fuzzsave <0599jiangyc@gmail.com>
Date: Tue, 13 Jan 2026 17:41:13 +0530
Subject: [PATCH 3/5] Fix signed integer overflow in memory stream seek

---
 main/streams/memory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main/streams/memory.c b/main/streams/memory.c
index 6ba0e7a723898..77b3fc6742862 100644
--- a/main/streams/memory.c
+++ b/main/streams/memory.c
@@ -128,7 +128,7 @@ static int php_stream_memory_seek(php_stream *stream, zend_off_t offset, int whe
 	switch(whence) {
 		case SEEK_CUR:
 			if (offset < 0) {
-				if (ms->fpos < (size_t)(-offset)) {
+				if (ms->fpos < (-(zend_ulong)offset)){
 					ms->fpos = 0;
 					*newoffs = -1;
 					return -1;

From 58685969bd24801a4b6e147f08ce92715e0ccbb8 Mon Sep 17 00:00:00 2001
From: fuzzsave <0599jiangyc@gmail.com>
Date: Tue, 13 Jan 2026 17:59:48 +0530
Subject: [PATCH 4/5] Fix signed integer overflow in memory stream seek

---
 ext/spl/tests/SplFileObject/bug20921.phpt | 2 +-
 main/streams/memory.c                     | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ext/spl/tests/SplFileObject/bug20921.phpt b/ext/spl/tests/SplFileObject/bug20921.phpt
index c12976128c85a..431abaf222e5d 100644
--- a/ext/spl/tests/SplFileObject/bug20921.phpt
+++ b/ext/spl/tests/SplFileObject/bug20921.phpt
@@ -1,5 +1,5 @@
 --TEST--
-memory stream seek edge case: PHP_INT_MIN with SEEK_END
+Bug #20921 - Memory stream seek edge case: PHP_INT_MIN with SEEK_END
 --FILE--
 <?php
 $cls = new SplTempFileObject();
diff --git a/main/streams/memory.c b/main/streams/memory.c
index 77b3fc6742862..d322ed5d1264b 100644
--- a/main/streams/memory.c
+++ b/main/streams/memory.c
@@ -128,7 +128,7 @@ static int php_stream_memory_seek(php_stream *stream, zend_off_t offset, int whe
 	switch(whence) {
 		case SEEK_CUR:
 			if (offset < 0) {
-				if (ms->fpos < (-(zend_ulong)offset)){
+				if (ms->fpos < -(size_t)(offset)) {
 					ms->fpos = 0;
 					*newoffs = -1;
 					return -1;
@@ -165,7 +165,7 @@ static int php_stream_memory_seek(php_stream *stream, zend_off_t offset, int whe
 				stream->eof = 0;
 				stream->fatal_error = 0;
 				return 0;
-			} else if (ZSTR_LEN(ms->data) < (size_t)(-(zend_ulong)offset)) {
+			} else if (ZSTR_LEN(ms->data) < -(size_t)offset) {
 				ms->fpos = 0;
 				*newoffs = -1;
 				return -1;

From d26d63d651431ff61b1918eda691cc414832601f Mon Sep 17 00:00:00 2001
From: fuzzsave <0599jiangyc@gmail.com>
Date: Tue, 13 Jan 2026 18:06:22 +0530
Subject: [PATCH 5/5] Fix signed integer overflow in memory stream seek

---
 main/streams/memory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main/streams/memory.c b/main/streams/memory.c
index d322ed5d1264b..37c3dc69e2280 100644
--- a/main/streams/memory.c
+++ b/main/streams/memory.c
@@ -128,7 +128,7 @@ static int php_stream_memory_seek(php_stream *stream, zend_off_t offset, int whe
 	switch(whence) {
 		case SEEK_CUR:
 			if (offset < 0) {
-				if (ms->fpos < -(size_t)(offset)) {
+				if (ms->fpos < -(size_t)offset) {
 					ms->fpos = 0;
 					*newoffs = -1;
 					return -1;