From 1a270eaf4d7f9f50d882c2a6e23d119ea0d53bfd Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Mon, 13 Jan 2025 18:09:08 +0000
Subject: [PATCH] Fix GH-17463: SplTempFileObject::ftruncate() segfault on
 negative length.

close GH-465
---
 ext/spl/spl_directory.c    |  6 ++++++
 ext/spl/tests/gh17463.phpt | 16 ++++++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 ext/spl/tests/gh17463.phpt

diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
index e4e79b0edb861..0a4d1456d65e9 100644
--- a/ext/spl/spl_directory.c
+++ b/ext/spl/spl_directory.c
@@ -2708,6 +2708,12 @@ PHP_METHOD(SplFileObject, ftruncate)
 
 	CHECK_SPL_FILE_OBJECT_IS_INITIALIZED(intern);
 
+	if (size < 0) {
+		zend_argument_value_error(1, "must be greater than or equal to 0");
+		RETURN_THROWS();
+	}
+
+
 	if (!php_stream_truncate_supported(intern->u.file.stream)) {
 		zend_throw_exception_ex(spl_ce_LogicException, 0, "Can't truncate file %s", ZSTR_VAL(intern->file_name));
 		RETURN_THROWS();
diff --git a/ext/spl/tests/gh17463.phpt b/ext/spl/tests/gh17463.phpt
new file mode 100644
index 0000000000000..41939c62f5b2c
--- /dev/null
+++ b/ext/spl/tests/gh17463.phpt
@@ -0,0 +1,16 @@
+--TEST--
+GH-17463 segfault on SplFileObject::ftruncate() with negative value.
+--CREDITS--
+YuanchengJiang
+--FILE--
+<?php
+$cls = new SplTempFileObject();
+
+try {
+	$cls->ftruncate(-1);
+} catch (\ValueError $e) {
+	echo $e->getMessage();
+}
+?>
+--EXPECT--
+SplFileObject::ftruncate(): Argument #1 ($size) must be greater than or equal to 0