Commit 4d70d745abe for php.net

commit 4d70d745abe482ec9e9827a4897944486cce7741
Author: Ilia Alshanetsky <ilia@ilia.ws>
Date:   Sun Jun 21 08:06:33 2026 -0400

    Fix int32_t overflow in intl_charFromString() capacity calculation

    intl_charFromString() computed the UTF-8 output capacity as
    from.length() * 3 in int32_t arithmetic. For a UnicodeString longer than
    INT32_MAX/3 UTF-16 units the multiply overflows (UB); capacity can go
    negative, making zend_string_alloc() request a near-SIZE_MAX block, or
    wrap small, undersizing the buffer that u_strToUTF8WithSub() then writes
    into. Reject the over-long input with U_BUFFER_OVERFLOW_ERROR up front,
    mirroring the existing INT32_MAX guard in the sibling intl_stringFromChar().

    Closes GH-22427

diff --git a/ext/intl/intl_convertcpp.cpp b/ext/intl/intl_convertcpp.cpp
index b919c3fb408..0eb0878b570 100644
--- a/ext/intl/intl_convertcpp.cpp
+++ b/ext/intl/intl_convertcpp.cpp
@@ -62,6 +62,10 @@ zend_string* intl_charFromString(const UnicodeString &from, UErrorCode *status)

 	//the number of UTF-8 code units is not larger than that of UTF-16 code
 	//units * 3
+	if (UNEXPECTED(from.length() > INT32_MAX / 3)) {
+		*status = U_BUFFER_OVERFLOW_ERROR;
+		return NULL;
+	}
 	int32_t capacity = from.length() * 3;

 	if (from.isEmpty()) {