Fix GH-17463: SplTempFileObject::ftruncate() segfault on negative length.

close GH-465

NEWS

@@ -40,6 +40,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-17330 (SNMP::setSecurity segfault on closed session).
     (David Carlier)
 
+- SPL:
+  . Fixed bug GH-17463 (crash on SplTempFileObject::ftruncate with negative
+    value). (David Carlier)
+
 - Zip:
   . Fixed bug GH-17139 (Fix zip_entry_name() crash on invalid entry).
     (nielsdos)

ext/spl/spl_directory.c

@@ -2708,6 +2708,12 @@ PHP_METHOD(SplFileObject, ftruncate)
 
 	CHECK_SPL_FILE_OBJECT_IS_INITIALIZED(intern);
 
+	if (size < 0) {
+		zend_argument_value_error(1, "must be greater than or equal to 0");
+		RETURN_THROWS();
+	}
+
+
 	if (!php_stream_truncate_supported(intern->u.file.stream)) {
 		zend_throw_exception_ex(spl_ce_LogicException, 0, "Can't truncate file %s", ZSTR_VAL(intern->file_name));
 		RETURN_THROWS();

ext/spl/tests/gh17463.phpt

@@ -0,0 +1,16 @@
+--TEST--
+GH-17463 segfault on SplFileObject::ftruncate() with negative value.
+--CREDITS--
+YuanchengJiang
+--FILE--
+<?php
+$cls = new SplTempFileObject();
+
+try {
+	$cls->ftruncate(-1);
+} catch (\ValueError $e) {
+	echo $e->getMessage();
+}
+?>
+--EXPECT--
+SplFileObject::ftruncate(): Argument #1 ($size) must be greater than or equal to 0