Backported from 5.6.25 by Remi.

From 791a98eb1c66d2340b4e897ab60e4a6700435b5b Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Thu, 11 Aug 2016 23:36:25 -0700
Subject: [PATCH] Fix for bug #72807 - do not produce strings with negative
 length

---
 Zend/zend_API.h      | 7 +++++--
 ext/curl/interface.c | 4 ++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/Zend/zend_API.h b/Zend/zend_API.h
index a56075e..e17be4c 100644
--- a/Zend/zend_API.h
+++ b/Zend/zend_API.h
@@ -444,7 +444,7 @@ ZEND_API int add_property_zval_ex(zval *arg, const char *key, uint key_len, zval
 #define add_property_double(__arg, __key, __d) add_property_double_ex(__arg, __key, strlen(__key)+1, __d TSRMLS_CC)
 #define add_property_string(__arg, __key, __str, __duplicate) add_property_string_ex(__arg, __key, strlen(__key)+1, __str, __duplicate TSRMLS_CC)
 #define add_property_stringl(__arg, __key, __str, __length, __duplicate) add_property_stringl_ex(__arg, __key, strlen(__key)+1, __str, __length, __duplicate TSRMLS_CC)
-#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC)       
+#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC)
 
 
 ZEND_API int call_user_function(HashTable *function_table, zval **object_pp, zval *function_name, zval *retval_ptr, zend_uint param_count, zval *params[] TSRMLS_DC);
@@ -455,7 +455,7 @@ ZEND_API extern const zend_fcall_info_cache empty_fcall_info_cache;
 
 /** Build zend_call_info/cache from a zval*
  *
- * Caller is responsible to provide a return value, otherwise the we will crash. 
+ * Caller is responsible to provide a return value, otherwise the we will crash.
  * fci->retval_ptr_ptr = NULL;
  * In order to pass parameters the following members need to be set:
  * fci->param_count = 0;
@@ -575,6 +575,9 @@ END_EXTERN_C()
 		const char *__s=(s);				\
 		zval *__z = (z);					\
 		Z_STRLEN_P(__z) = strlen(__s);		\
+		if (UNEXPECTED(Z_STRLEN_P(__z) < 0)) { \
+			zend_error(E_ERROR, "String size overflow"); \
+		}									\
 		Z_STRVAL_P(__z) = (duplicate?estrndup(__s, Z_STRLEN_P(__z)):(char*)__s);\
 		Z_TYPE_P(__z) = IS_STRING;			\
 	} while (0)
diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index c7112a0..062f996 100644
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -3506,6 +3506,10 @@ PHP_FUNCTION(curl_escape)
 	ZEND_FETCH_RESOURCE(ch, php_curl *, &zid, -1, le_curl_name, le_curl);
 
 	if ((res = curl_easy_escape(ch->cp, str, str_len))) {
+		if (strlen(res) > INT_MAX) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Escaped string is too long, maximum is %d", INT_MAX);
+			RETURN_FALSE;
+		}
 		RETVAL_STRING(res, 1);
 		curl_free(res);
 	} else {