Fix GH-20921: Avoid signed negation of PHP_INT_MIN in memory stream seek

NEWS

@@ -15,6 +15,10 @@ PHP                                                                        NEWS
     IntlCalendar::equals(), ::before(), ::after(), and ::isEquivalentTo().
     (Weilin Du)
 
+- Streams:
+  . Fixed bug GH-20921 (UBSan: Negation of PHP_INT_MIN triggers runtime error
+    in streams/memory.c via SplTempFileObject::fseek). (wadakatu)
+
 - Zlib:
   . Fixed memory leak if deflate initialization fails and there is a dict.
     (ndossche)

ext/standard/tests/streams/gh20921.phpt

@@ -0,0 +1,12 @@
+--TEST--
+GH-20921: SplTempFileObject::fseek with PHP_INT_MIN must not trigger UB
+--FILE--
+<?php
+$f = new SplTempFileObject();
+$f->fwrite("abcdef");
+
+var_dump($f->fseek(PHP_INT_MIN, SEEK_END));
+
+?>
+--EXPECT--
+int(-1)

main/streams/memory.c

@@ -165,7 +165,7 @@ static int php_stream_memory_seek(php_stream *stream, zend_off_t offset, int whe
 				stream->eof = 0;
 				stream->fatal_error = 0;
 				return 0;
-			} else if (ZSTR_LEN(ms->data) < (size_t)(-offset)) {
+			} else if (ZSTR_LEN(ms->data) < -(size_t)offset) {
 				ms->fpos = 0;
 				*newoffs = -1;
 				return -1;