MFH: Fix integer oveflow in strrpos()

ext/standard/string.c

@@ -1842,7 +1842,7 @@ PHP_FUNCTION(strrpos)
 		p = haystack + offset;
 		e = haystack + haystack_len - needle_len;
 	} else {
-		if (-offset > haystack_len) {
+		if (-offset > haystack_len || offset < -INT_MAX) {
 			php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Offset is greater than the length of haystack string");
 			RETURN_FALSE;
 		}

ext/standard/tests/strings/strrpos_offset.phpt

@@ -0,0 +1,41 @@
+--TEST--
+strrpos() offset integer overflow
+--FILE--
+<?php
+
+var_dump(strrpos("t", "t", PHP_INT_MAX+1));
+var_dump(strrpos("tttt", "tt", PHP_INT_MAX+1));
+var_dump(strrpos(100, 101, PHP_INT_MAX+1));
+var_dump(strrpos(1024, 1024, PHP_INT_MAX+1));
+var_dump(strrpos(1024, 1024, -PHP_INT_MAX));
+var_dump(strrpos(1024, "te", -PHP_INT_MAX));
+var_dump(strrpos(1024, 1024, -PHP_INT_MAX-1));
+var_dump(strrpos(1024, "te", -PHP_INT_MAX-1));
+
+echo "Done\n";
+?>
+--EXPECTF--	
+Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+Done