Fix GH-21700: Assertion failure in _php_stream_seek with user stream returning negative position

Validate that stream->position remains non-negative after a user stream's
seek operation. Some user streams may report success from stream_seek()
while their stream_tell() returns a negative value, leaving stream->position
in an invalid state and triggering ZEND_ASSERT(stream->position >= 0) on
the next SEEK_CUR.

Also reject SEEK_CUR seeks whose absolute target would be negative
(reusing the existing SEEK_SET negative-offset rejection via fall-through),
so the user seek hook is not even invoked in that case.

On invalid post-seek position, restore stream->position to its prior value
and return -1, matching the POSIX fseek() contract that the file-position
indicator is unchanged on failure.

Author: lacatoire

NEWS

@@ -195,6 +195,8 @@ PHP                                                                        NEWS
   . Allowed filtered streams to be casted as fd for select. (Jakub Zelenka)
   . Fixed bug GH-21221 (Prevent closing of innerstream of php://temp stream).
     (ilutov)
+  . Fixed bug GH-21700 (Assertion failure in _php_stream_seek when a user
+    stream returns a negative position). (lacatoire)
   . Improved stream_socket_server() bind failure error reporting. (ilutov)
   . Fixed bug #49874 (ftell() and fseek() inconsistency when using stream
     filters). (Jakub Zelenka)

ext/standard/tests/streams/gh21700_user_stream_negative_position.phpt

@@ -0,0 +1,46 @@
+--TEST--
+GH-21700: User stream returning negative position must not trigger an assertion
+--FILE--
+<?php
+class mystream {
+    public int $pos = 0;
+    public function stream_open($path, $mode, $options, &$opened_path) { return true; }
+    public function stream_seek($offset, $whence) {
+        // Blindly store the offset, mimicking a buggy user implementation.
+        $this->pos = $offset;
+        return true;
+    }
+    public function stream_tell() { return $this->pos; }
+    public function stream_eof() { return false; }
+    public function stream_read($count) { return ''; }
+}
+stream_wrapper_register("test", "mystream");
+
+// 1. SEEK_CUR with a negative resulting absolute position is rejected.
+$fp = fopen("test://foo", "rb");
+var_dump(fseek($fp, -1, SEEK_CUR));
+var_dump(ftell($fp));
+var_dump(fseek($fp, 0, SEEK_CUR));
+fclose($fp);
+
+// 2. A user stream_tell() returning a negative position is rejected,
+//    keeping stream->position non-negative.
+class lyingstream extends mystream {
+    public function stream_tell(): int { return -42; }
+}
+stream_wrapper_unregister("test");
+stream_wrapper_register("test", "lyingstream");
+
+$fp = fopen("test://foo", "rb");
+var_dump(fseek($fp, 100, SEEK_SET));
+var_dump(ftell($fp));
+var_dump(fseek($fp, 0, SEEK_CUR));
+fclose($fp);
+?>
+--EXPECT--
+int(-1)
+int(0)
+int(0)
+int(-1)
+int(0)
+int(-1)

main/streams/streams.c

@@ -1466,19 +1466,31 @@ PHPAPI int _php_stream_seek(php_stream *stream, zend_off_t offset, int whence)
 				} else {
 					offset = stream->position + offset;
 				}
- 				whence = SEEK_SET;
-				break;
+				whence = SEEK_SET;
+				ZEND_FALLTHROUGH;
 			case SEEK_SET:
 				if (offset < 0) {
 					return -1;
 				}
+				break;
 		}
+		zend_off_t saved_position = stream->position;
 		ret = stream->ops->seek(stream, offset, whence, &stream->position);
 
 		if (((stream->flags & PHP_STREAM_FLAG_NO_SEEK) == 0) || ret == 0) {
 			if (ret == 0) {
-				stream->eof = 0;
-				stream->fatal_error = 0;
+				if (UNEXPECTED(stream->position < 0)) {
+					/* The seek operation reported success but updated
+					 * stream->position to a negative value (e.g. a user
+					 * stream's stream_tell() returned a negative offset).
+					 * Treat as failure and restore the original position
+					 * to keep the invariant stream->position >= 0. */
+					stream->position = saved_position;
+					ret = -1;
+				} else {
+					stream->eof = 0;
+					stream->fatal_error = 0;
+				}
 			}
 
 			/* invalidate the buffer contents */