From c35d6c0f893b8a3b4ac77e0ca3430c648ec19aae Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <ilia@ilia.ws>
Date: Sun, 21 Jun 2026 08:06:33 -0400
Subject: [PATCH] Fix int32_t overflow in intl_charFromString() capacity
 calculation

intl_charFromString() computed the UTF-8 output capacity as
from.length() * 3 in int32_t arithmetic. For a UnicodeString longer than
INT32_MAX/3 UTF-16 units the multiply overflows (UB); capacity can go
negative, making zend_string_alloc() request a near-SIZE_MAX block, or
wrap small, undersizing the buffer that u_strToUTF8WithSub() then writes
into. Reject the over-long input with U_BUFFER_OVERFLOW_ERROR up front,
mirroring the existing INT32_MAX guard in the sibling intl_stringFromChar().
---
 ext/intl/intl_convertcpp.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ext/intl/intl_convertcpp.cpp b/ext/intl/intl_convertcpp.cpp
index b919c3fb4087..0eb0878b5701 100644
--- a/ext/intl/intl_convertcpp.cpp
+++ b/ext/intl/intl_convertcpp.cpp
@@ -62,6 +62,10 @@ zend_string* intl_charFromString(const UnicodeString &from, UErrorCode *status)
 
 	//the number of UTF-8 code units is not larger than that of UTF-16 code
 	//units * 3
+	if (UNEXPECTED(from.length() > INT32_MAX / 3)) {
+		*status = U_BUFFER_OVERFLOW_ERROR;
+		return NULL;
+	}
 	int32_t capacity = from.length() * 3;
 
 	if (from.isEmpty()) {