Fix #71882: Negative ftruncate() on php://memory exhausts memory

We must not pass negative sizes to a size_t parameter.

Author: cmb69

NEWS

@@ -48,6 +48,8 @@ PHP                                                                        NEWS
   . Fixed bug #72278 (getimagesize returning FALSE on valid jpg). (cmb)
   . Fixed bug #65550 (get_browser() incorrectly parses entries with "+" sign).
     (cmb)
+  . Fixed bug #71882 (Negative ftruncate() on php://memory exhausts memory).
+    (cmb)
 
 - XML:
   . Fixed bug #72085 (SEGV on unknown address zif_xml_parse). (cmb)

ext/standard/file.c

@@ -1512,6 +1512,11 @@ PHP_NAMED_FUNCTION(php_if_ftruncate)
 		RETURN_FALSE;
 	}
 
+	if (size < 0) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Negative size is not supported");
+		RETURN_FALSE;
+	}
+
 	PHP_STREAM_TO_ZVAL(stream, &fp);
 
 	if (!php_stream_truncate_supported(stream)) {

ext/standard/tests/file/bug71882.phpt

@@ -0,0 +1,11 @@
+--TEST--
+Bug #71882 (Negative ftruncate() on php://memory exhausts memory)
+--FILE--
+<?php
+$fd = fopen("php://memory", "w+");
+ftruncate($fd, -1);
+?>
+==DONE==
+--EXPECTF--
+Warning: ftruncate(): Negative size is not supported in %s%ebug71882.php on line %d
+==DONE==