From ac86e1046852c0882a4a0c3f4083a5fdf801aac5 Mon Sep 17 00:00:00 2001
From: Arnaud Le Blanc <arnaud.lb@gmail.com>
Date: Tue, 5 May 2026 11:20:26 +0200
Subject: [PATCH 01/16] Fix compiler warning with GCC 16: variable 'offset' set
 but not used [-Werror=unused-but-set-variable=]

---
 ext/mysqlnd/mysqlnd_result.c | 6 ++----
 ext/opcache/zend_persist.c   | 3 +--
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/ext/mysqlnd/mysqlnd_result.c b/ext/mysqlnd/mysqlnd_result.c
index ae8dc77b4cd9..f43b1d7f59d3 100644
--- a/ext/mysqlnd/mysqlnd_result.c
+++ b/ext/mysqlnd/mysqlnd_result.c
@@ -994,8 +994,7 @@ MYSQLND_METHOD(mysqlnd_res, fetch_into)(MYSQLND_RES * result, const unsigned int
 	array_init_size(return_value, array_size);
 
 	HashTable *row_ht = Z_ARRVAL_P(return_value);
-	MYSQLND_FIELD *field = meta->fields;
-	for (unsigned i = 0; i < meta->field_count; i++, field++) {
+	for (unsigned i = 0; i < meta->field_count; i++) {
 		zval *data = &row_data[i];
 
 		if (flags & MYSQLND_FETCH_NUM) {
@@ -1038,10 +1037,9 @@ MYSQLND_METHOD(mysqlnd_res, fetch_row_c)(MYSQLND_RES * result)
 	mysqlnd_result_free_prev_data(result);
 	if (result->m.fetch_row(result, &row_data, 0, &fetched_anything) == PASS && fetched_anything) {
 		unsigned field_count = result->field_count;
-		MYSQLND_FIELD *field = result->meta->fields;
 
 		ret = mnd_emalloc(field_count * sizeof(char *));
-		for (unsigned i = 0; i < field_count; i++, field++) {
+		for (unsigned i = 0; i < field_count; i++) {
 			zval *data = &row_data[i];
 			if (Z_TYPE_P(data) != IS_NULL) {
 				convert_to_string(data);
diff --git a/ext/opcache/zend_persist.c b/ext/opcache/zend_persist.c
index f8e11e4d01ec..3f80b7d65d99 100644
--- a/ext/opcache/zend_persist.c
+++ b/ext/opcache/zend_persist.c
@@ -525,9 +525,8 @@ static void zend_persist_op_array_ex(zend_op_array *op_array, zend_persistent_sc
 		zend_op *new_opcodes = zend_shared_memdup_put(op_array->opcodes, sizeof(zend_op) * op_array->last);
 		zend_op *opline = new_opcodes;
 		zend_op *end = new_opcodes + op_array->last;
-		int offset = 0;
 
-		for (; opline < end ; opline++, offset++) {
+		for (; opline < end ; opline++) {
 #if ZEND_USE_ABS_CONST_ADDR
 			if (opline->op1_type == IS_CONST) {
 				opline->op1.zv = (zval*)((char*)opline->op1.zv + ((char*)op_array->literals - (char*)orig_literals));

From 6a2751450930e111ec960f5fb76754db21b9d919 Mon Sep 17 00:00:00 2001
From: Arnaud Le Blanc <arnaud.lb@gmail.com>
Date: Tue, 5 May 2026 11:22:09 +0200
Subject: [PATCH 02/16] Fix compiler warning with glibc 2.43 support of C23
 const-preserving standard library macros: assignment discards 'const'
 qualifier from pointer target type [-Werror=discarded-qualifiers]

See https://sourceware.org/cgit/glibc/commit/?id=cd748a63ab1

Closes GH-21950
---
 ext/mysqlnd/mysqlnd_alloc.c        | 10 +++++-----
 ext/mysqlnd/mysqlnd_connection.c   |  2 +-
 ext/mysqlnd/mysqlnd_wireprotocol.c |  2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/ext/mysqlnd/mysqlnd_alloc.c b/ext/mysqlnd/mysqlnd_alloc.c
index 06971b3487dd..3c059f327ac9 100644
--- a/ext/mysqlnd/mysqlnd_alloc.c
+++ b/ext/mysqlnd/mysqlnd_alloc.c
@@ -201,7 +201,7 @@ static void _mysqlnd_efree(void *ptr MYSQLND_MEM_D)
 
 #if PHP_DEBUG
 	{
-		char * fn = strrchr(__zend_filename, PHP_DIR_SEPARATOR);
+		const char * fn = strrchr(__zend_filename, PHP_DIR_SEPARATOR);
 		TRACE_ALLOC_INF_FMT("file=%-15s line=%4d", fn? fn + 1:__zend_filename, __zend_lineno);
 	}
 #endif
@@ -232,7 +232,7 @@ static void _mysqlnd_pefree(void *ptr, bool persistent MYSQLND_MEM_D)
 
 #if PHP_DEBUG
 	{
-		char * fn = strrchr(__zend_filename, PHP_DIR_SEPARATOR);
+		const char * fn = strrchr(__zend_filename, PHP_DIR_SEPARATOR);
 		TRACE_ALLOC_INF_FMT("file=%-15s line=%4d", fn? fn + 1:__zend_filename, __zend_lineno);
 	}
 #endif
@@ -264,7 +264,7 @@ static char * _mysqlnd_pememdup(const char * const ptr, size_t length, bool pers
 
 #if PHP_DEBUG
 	{
-		char * fn = strrchr(__zend_filename, PHP_DIR_SEPARATOR);
+		const char * fn = strrchr(__zend_filename, PHP_DIR_SEPARATOR);
 		TRACE_ALLOC_INF_FMT("file=%-15s line=%4d", fn? fn + 1:__zend_filename, __zend_lineno);
 	}
 #endif
@@ -295,7 +295,7 @@ static char * _mysqlnd_pestrndup(const char * const ptr, size_t length, bool per
 
 #if PHP_DEBUG
 	{
-		char * fn = strrchr(__zend_filename, PHP_DIR_SEPARATOR);
+		const char * fn = strrchr(__zend_filename, PHP_DIR_SEPARATOR);
 		TRACE_ALLOC_INF_FMT("file=%-15s line=%4d", fn? fn + 1:__zend_filename, __zend_lineno);
 	}
 #endif
@@ -336,7 +336,7 @@ static char * _mysqlnd_pestrdup(const char * const ptr, bool persistent MYSQLND_
 	TRACE_ALLOC_ENTER(mysqlnd_pestrdup_name);
 #if PHP_DEBUG
 	{
-		char * fn = strrchr(__zend_filename, PHP_DIR_SEPARATOR);
+		const char * fn = strrchr(__zend_filename, PHP_DIR_SEPARATOR);
 		TRACE_ALLOC_INF_FMT("file=%-15s line=%4d", fn? fn + 1:__zend_filename, __zend_lineno);
 	}
 #endif
diff --git a/ext/mysqlnd/mysqlnd_connection.c b/ext/mysqlnd/mysqlnd_connection.c
index 2402ad6fc8f4..2d7d97b237e5 100644
--- a/ext/mysqlnd/mysqlnd_connection.c
+++ b/ext/mysqlnd/mysqlnd_connection.c
@@ -557,7 +557,7 @@ MYSQLND_METHOD(mysqlnd_conn_data, get_scheme)(MYSQLND_CONN_DATA * conn, MYSQLND_
 			/* IPv6 without square brackets so without port */
 			transport.l = mnd_sprintf(&transport.s, 0, "tcp://[%s]:%u", hostname.s, port);
 		} else {
-			char *p;
+			const char *p;
 
 			/* IPv6 addresses are in the format [address]:port */
 			if (hostname.s[0] == '[') { /* IPv6 */
diff --git a/ext/mysqlnd/mysqlnd_wireprotocol.c b/ext/mysqlnd/mysqlnd_wireprotocol.c
index 36fd53233737..64c2c7969619 100644
--- a/ext/mysqlnd/mysqlnd_wireprotocol.c
+++ b/ext/mysqlnd/mysqlnd_wireprotocol.c
@@ -461,7 +461,7 @@ php_mysqlnd_greet_read(MYSQLND_CONN_DATA * conn, void * _packet)
 			packet->auth_protocol = estrdup("");
 		} else {
 			/* Check if NUL present */
-			char *null_terminator = memchr(p, '\0', remaining_size);
+			const char *null_terminator = memchr(p, '\0', remaining_size);
 			size_t auth_protocol_len;
 			if (null_terminator) {
 				/* If present, do basically estrdup */

From 33caad78f044bbe3137f26b164e233ef6b634e81 Mon Sep 17 00:00:00 2001
From: Arnaud Le Blanc <arnaud.lb@gmail.com>
Date: Wed, 6 May 2026 12:39:47 +0200
Subject: [PATCH 03/16] Fix bad merge

---
 ext/mysqlnd/mysqlnd_result.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/mysqlnd/mysqlnd_result.c b/ext/mysqlnd/mysqlnd_result.c
index 1f811c8795df..b4d0bdbd8d2c 100644
--- a/ext/mysqlnd/mysqlnd_result.c
+++ b/ext/mysqlnd/mysqlnd_result.c
@@ -990,7 +990,7 @@ MYSQLND_METHOD(mysqlnd_res, fetch_into)(MYSQLND_RES * result, const unsigned int
 
 	HashTable *row_ht = Z_ARRVAL_P(return_value);
 	MYSQLND_FIELD *field = meta->fields;
-	for (unsigned i = 0; i < meta->field_count; i++) {
+	for (unsigned i = 0; i < meta->field_count; i++, field++) {
 		zval *data = &row_data[i];
 
 		if (flags & MYSQLND_FETCH_NUM) {

From aee3b3ac9b816b0def1c462695b483b49a83148e Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 3 May 2026 19:56:53 +0200
Subject: [PATCH 04/16] GHSA-85c2-q967-79q5: [soap] Fix stale
 SOAP_GLOBAL(ref_map) pointer with Apache Map

Fixes GHSA-85c2-q967-79q5
Fixes CVE-2026-6722
---
 ext/soap/php_encoding.c                 |  3 +-
 ext/soap/tests/GHSA-85c2-q967-79q5.phpt | 61 +++++++++++++++++++++++++
 2 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 ext/soap/tests/GHSA-85c2-q967-79q5.phpt

diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index a685dbcd228a..725c279d8d42 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -365,6 +365,7 @@ static bool soap_check_xml_ref(zval *data, xmlNodePtr node)
 static void soap_add_xml_ref(zval *data, xmlNodePtr node)
 {
 	if (SOAP_GLOBAL(ref_map)) {
+		Z_TRY_ADDREF_P(data);
 		zend_hash_index_update(SOAP_GLOBAL(ref_map), (zend_ulong)node, data);
 	}
 }
@@ -3448,7 +3449,7 @@ void encode_reset_ns()
 	} else {
 		SOAP_GLOBAL(ref_map) = emalloc(sizeof(HashTable));
 	}
-	zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, NULL, 0);
+	zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, ZVAL_PTR_DTOR, 0);
 }
 
 void encode_finish()
diff --git a/ext/soap/tests/GHSA-85c2-q967-79q5.phpt b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt
new file mode 100644
index 000000000000..8bcac26ad187
--- /dev/null
+++ b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt
@@ -0,0 +1,61 @@
+--TEST--
+GHSA-85c2-q967-79q5: Stale SOAP_GLOBAL(ref_map) pointer with Apache Map
+--CREDITS--
+brettgervasoni
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+
+class Handler {
+    public function test(...$args) {
+        $GLOBALS['result'] = $args;
+    }
+}
+
+$envelope = <<<'XML'
+<?xml version="1.0" encoding="UTF-8"?>
+<soapenv:Envelope
+    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+
+    <soapenv:Body>
+        <test>
+            <map xsi:type="apache:Map" xmlns:apache="http://xml.apache.org/xml-soap">
+                <item>
+                    <key>foo</key>
+                    <value id="stale"><object>bar</object></value>
+                </item>
+                <item>
+                    <key>foo</key>
+                    <value>baz</value>
+                </item>
+            </map>
+            <stale href="#stale"/>
+        </test>
+    </soapenv:Body>
+</soapenv:Envelope>
+XML;
+
+$s = new SoapServer(null, ['uri' => 'urn:a']);
+$s->setClass(Handler::class);
+$s->handle($envelope);
+var_dump($result);
+
+?>
+--EXPECTF--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:a" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:testResponse><return xsi:nil="true"/></ns1:testResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
+array(2) {
+  [0]=>
+  array(1) {
+    ["foo"]=>
+    string(3) "baz"
+  }
+  [1]=>
+  object(stdClass)#%d (1) {
+    ["object"]=>
+    string(3) "bar"
+  }
+}

From db2a7f9348fd5dda5fd162061786a664c417bf5b Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 3 May 2026 19:57:16 +0200
Subject: [PATCH 05/16] GHSA-m33r-qmcv-p97q: [soap] Fix use-after-free after
 header parsing failure with SOAP_PERSISTENCE_SESSION

Fixes GHSA-m33r-qmcv-p97q
Fixes CVE-2026-7261
---
 ext/soap/soap.c                         | 12 ++++-
 ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt | 58 +++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 2 deletions(-)
 create mode 100644 ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt

diff --git a/ext/soap/soap.c b/ext/soap/soap.c
index 1350c0c0a344..02501b8d73ff 100644
--- a/ext/soap/soap.c
+++ b/ext/soap/soap.c
@@ -1438,12 +1438,20 @@ PHP_METHOD(SoapServer, handle)
 				    instanceof_function(Z_OBJCE(h->retval), soap_fault_class_entry)) {
 					php_output_discard();
 					soap_server_fault_ex(function, &h->retval, h);
-					if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
+					if (service->type == SOAP_CLASS && soap_obj) {
+						if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
+							zval_ptr_dtor(soap_obj);
+						}
+					}
 					goto fail;
 				} else if (EG(exception)) {
 					php_output_discard();
 					_soap_server_exception(service, function, ZEND_THIS);
-					if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
+					if (service->type == SOAP_CLASS && soap_obj) {
+						if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
+							zval_ptr_dtor(soap_obj);
+						}
+					}
 					goto fail;
 				}
 			} else if (h->mustUnderstand) {
diff --git a/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
new file mode 100644
index 000000000000..bcf441ccd18a
--- /dev/null
+++ b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
@@ -0,0 +1,58 @@
+--TEST--
+GHSA-m33r-qmcv-p97q: Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
+--CREDITS--
+Ilia Alshanetsky (iliaal)
+--EXTENSIONS--
+soap
+session
+--FILE--
+<?php
+
+class Handler {
+    public function return()  {
+        return new SoapFault('Server', 'denied');
+    }
+    public function throw()  {
+        throw new SoapFault('Server', 'denied');
+    }
+    public function hello() {
+        return 'ok';
+    }
+}
+
+session_start();
+
+$srv = new SoapServer(null, ['uri' => 'urn:a']);
+$srv->setClass(Handler::class);
+$srv->setPersistence(SOAP_PERSISTENCE_SESSION);
+
+$srv->handle(<<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
+    <soap:Header>
+        <a:return/>
+    </soap:Header>
+    <soap:Body>
+        <a:hello/>
+    </soap:Body>
+</soap:Envelope>
+XML);
+
+$srv->handle(<<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
+    <soap:Header>
+        <a:throw/>
+    </soap:Header>
+    <soap:Body>
+        <a:hello/>
+    </soap:Body>
+</soap:Envelope>
+XML);
+
+?>
+--EXPECT--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>

From 79551ab8b1a97760c739e372f9bc359619f3554d Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sat, 25 Apr 2026 00:44:37 +0200
Subject: [PATCH 06/16] GHSA-hmxp-6pc4-f3vv: [soap] Fix broken Apache map value
 NULL check

Fixes GHSA-hmxp-6pc4-f3vv
Fixes CVE-2026-7262
---
 ext/soap/php_encoding.c                 |  2 +-
 ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt | 39 +++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt

diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 725c279d8d42..0865726ceb9b 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -2722,7 +2722,7 @@ static zval *to_zval_map(zval *ret, encodeTypePtr type, xmlNodePtr data)
 			}
 
 			xmlValue = get_node(item->children, "value");
-			if (!xmlKey) {
+			if (!xmlValue) {
 				soap_error0(E_ERROR,  "Encoding: Can't decode apache map, missing value");
 			}
 
diff --git a/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
new file mode 100644
index 000000000000..e46ab2e4607d
--- /dev/null
+++ b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
@@ -0,0 +1,39 @@
+--TEST--
+GHSA-hmxp-6pc4-f3vv: Null pointer dereference on missing Apache map value
+--CREDITS--
+Ilia Alshanetsky (iliaal)
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+
+$request = <<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope
+    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+    xmlns:apache="http://xml.apache.org/xml-soap">
+
+    <soap:Body>
+        <test>
+            <map xsi:type="apache:Map">
+                <item><key>hello</key></item>
+            </map>
+        </test>
+    </soap:Body>
+</soap:Envelope>
+XML;
+
+$server = new SoapServer(null, [
+    'uri' => 'urn:test',
+    'typemap' => [['type_name' => 'anything']],
+]);
+$server->addFunction('test');
+function test($m) { return null; }
+$server->handle($request);
+
+?>
+--EXPECT--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>SOAP-ERROR: Encoding: Can't decode apache map, missing value</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>

From 99a5ad7441de9914246c7863adb6997396008b9d Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Sun, 3 May 2026 20:01:41 +0200
Subject: [PATCH 07/16] GHSA-7qg2-v9fj-4mwv: [fpm] XSS within status endpoint

Fixes GHSA-7qg2-v9fj-4mwv
Fixes CVE-2026-6735
---
 sapi/fpm/fpm/fpm_status.c                     | 34 +++++++++++--
 .../tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt | 48 +++++++++++++++++++
 2 files changed, 78 insertions(+), 4 deletions(-)
 create mode 100644 sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt

diff --git a/sapi/fpm/fpm/fpm_status.c b/sapi/fpm/fpm/fpm_status.c
index cebaa18c964b..0339b75a1449 100644
--- a/sapi/fpm/fpm/fpm_status.c
+++ b/sapi/fpm/fpm/fpm_status.c
@@ -528,8 +528,8 @@ int fpm_status_handle_request(void) /* {{{ */
 		if (full_syntax) {
 			unsigned int i;
 			int first;
-			zend_string *tmp_query_string;
-			char *query_string;
+			zend_string *tmp_query_string, *tmp_request_uri_string;
+			char *query_string, *request_uri_string;
 			struct timeval duration, now;
 			float cpu;
 
@@ -554,13 +554,36 @@ int fpm_status_handle_request(void) /* {{{ */
 					}
 				}
 
+				request_uri_string = NULL;
+				tmp_request_uri_string = NULL;
+				if (proc->request_uri[0] != '\0') {
+					if (encode_html) {
+						tmp_request_uri_string = php_escape_html_entities_ex(
+								(const unsigned char *) proc->request_uri,
+								strlen(proc->request_uri), 1, ENT_DISALLOWED | ENT_HTML_DOC_XML1 | ENT_COMPAT,
+								NULL, /* double_encode */ 1, /* quiet */ 0);
+						request_uri_string = ZSTR_VAL(tmp_request_uri_string);
+					} else if (encode_json) {
+						tmp_request_uri_string = php_json_encode_string(proc->request_uri,
+								strlen(proc->request_uri), PHP_JSON_INVALID_UTF8_IGNORE);
+						request_uri_string = ZSTR_VAL(tmp_request_uri_string);
+						/* remove quotes around the string */
+						if (ZSTR_LEN(tmp_request_uri_string) >= 2) {
+							request_uri_string[ZSTR_LEN(tmp_request_uri_string) - 1] = '\0';
+							++request_uri_string;
+						}
+					} else {
+						request_uri_string = proc->request_uri;
+					}
+				}
+
 				query_string = NULL;
 				tmp_query_string = NULL;
 				if (proc->query_string[0] != '\0') {
 					if (encode_html) {
 						tmp_query_string = php_escape_html_entities_ex(
 								(const unsigned char *) proc->query_string,
-								strlen(proc->query_string), 1, ENT_HTML_IGNORE_ERRORS & ENT_COMPAT,
+								strlen(proc->query_string), 1, ENT_DISALLOWED | ENT_HTML_DOC_XML1 | ENT_COMPAT,
 								NULL, /* double_encode */ 1, /* quiet */ 0);
 					} else if (encode_json) {
 						tmp_query_string = php_json_encode_string(proc->query_string,
@@ -599,7 +622,7 @@ int fpm_status_handle_request(void) /* {{{ */
 					proc->requests,
 					duration.tv_sec * 1000000UL + duration.tv_usec,
 					proc->request_method[0] != '\0' ? proc->request_method : "-",
-					proc->request_uri[0] != '\0' ? proc->request_uri : "-",
+					request_uri_string ? request_uri_string : "-",
 					query_string ? "?" : "",
 					query_string ? query_string : "",
 					proc->content_length,
@@ -610,6 +633,9 @@ int fpm_status_handle_request(void) /* {{{ */
 				PUTS(buffer);
 				efree(buffer);
 
+				if (tmp_request_uri_string) {
+					zend_string_free(tmp_request_uri_string);
+				}
 				if (tmp_query_string) {
 					zend_string_free(tmp_query_string);
 				}
diff --git a/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt b/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt
new file mode 100644
index 000000000000..475bc130a42b
--- /dev/null
+++ b/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt
@@ -0,0 +1,48 @@
+--TEST--
+FPM: GHSA-7qg2-v9fj-4mwv - status xss
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+--FILE--
+<?php
+
+require_once "tester.inc";
+
+$cfg = <<<EOT
+[global]
+error_log = {{FILE:LOG}}
+[unconfined]
+listen = {{ADDR}}
+pm = static
+pm.max_children = 2
+pm.status_path = /status
+catch_workers_output = yes
+EOT;
+
+$code = <<<EOT
+<?php
+usleep(200000);
+EOT;
+
+$tester = new FPM\Tester($cfg, $code);
+$tester->start();
+$tester->expectLogStartNotices();
+$responses = $tester
+        ->multiRequest([
+                ['uri' => '/<script>alert(1)</script>', 'query' => '<script>alert(2)</script>'],
+                ['uri' => '/status', 'query' => 'full&html', 'delay' => 100000],
+        ]);
+var_dump(strpos($responses[1]->getBody(), '<script>'));
+$tester->terminate();
+$tester->expectLogTerminatingNotices();
+$tester->close();
+
+?>
+Done
+--EXPECT--
+bool(false)
+Done
+--CLEAN--
+<?php
+require_once "tester.inc";
+FPM\Tester::clean();
+?>

From 79a054eae016c56409432e69aebc8ca908a88838 Mon Sep 17 00:00:00 2001
From: vi3tL0u1s <luuviethoang.attt@gmail.com>
Date: Sun, 3 May 2026 20:02:21 +0200
Subject: [PATCH 08/16] GHSA-wm6j-2649-pv75: [mbstring] Fix null pointer
 dereference in php_mb_check_encoding() via mb_ereg_search_init()

Fixes GHSA-wm6j-2649-pv75
Fixes CVE-2026-7259
---
 Zend/tests/GHSA-wm6j-2649-pv75.phpt | 22 ++++++++++++++++++++++
 ext/mbstring/php_mbregex.c          |  7 ++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/GHSA-wm6j-2649-pv75.phpt

diff --git a/Zend/tests/GHSA-wm6j-2649-pv75.phpt b/Zend/tests/GHSA-wm6j-2649-pv75.phpt
new file mode 100644
index 000000000000..7257af27cb87
--- /dev/null
+++ b/Zend/tests/GHSA-wm6j-2649-pv75.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GHSA-wm6j-2649-pv75: Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
+--CREDITS--
+vi3tL0u1s
+--EXTENSIONS--
+mbstring
+--SKIPIF--
+<?php
+if (!function_exists('mb_regex_encoding')) die('skip No mbregex support');
+?>
+--FILE--
+<?php
+// iso-8859-11 is supported by Oniguruma but not by mbfl
+mb_regex_encoding('iso-8859-11');
+mb_ereg_search_init('x');
+?>
+--EXPECTF--
+Fatal error: Uncaught ValueError: mb_regex_encoding(): Argument #1 ($encoding) must be a valid encoding, "iso-8859-11" given in %s:%d
+Stack trace:
+#0 %s(%d): mb_regex_encoding('iso-8859-11')
+#1 {main}
+  thrown in %s on line %d
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 99dc91e34dca..08195e1765ec 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -409,8 +409,13 @@ int php_mb_regex_set_mbctype(const char *encname)
 	if (mbctype == ONIG_ENCODING_UNDEF) {
 		return FAILURE;
 	}
+	const mbfl_encoding *mbfl_enc = mbfl_name2encoding(encname);
+	if (mbfl_enc == NULL) {
+		/* Encoding supported by Oniguruma but not by mbfl */
+		return FAILURE;
+	}
 	MBREX(current_mbctype) = mbctype;
-	MBREX(current_mbctype_mbfl_encoding) = mbfl_name2encoding(encname);
+	MBREX(current_mbctype_mbfl_encoding) = mbfl_enc;
 	return SUCCESS;
 }
 /* }}} */

From 3f40b65323dd1b85e9bab6878237d3867e449d5c Mon Sep 17 00:00:00 2001
From: Saki Takamachi <saki@sakiot.com>
Date: Sun, 3 May 2026 19:56:30 +0200
Subject: [PATCH 09/16] GHSA-w476-322c-wpvm: [pdo_firebird] Fix SQL injection
 via NUL bytes in quoted strings

Fixes GHSA-w476-322c-wpvm
Fixes CVE-2025-14179
---
 ext/pdo_firebird/firebird_driver.c            | 69 ++++++++++++-------
 .../tests/ghsa-w476-322c-wpvm.phpt            | 44 ++++++++++++
 2 files changed, 88 insertions(+), 25 deletions(-)
 create mode 100644 ext/pdo_firebird/tests/ghsa-w476-322c-wpvm.phpt

diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c
index a192a0adb10c..fad41da66a56 100644
--- a/ext/pdo_firebird/firebird_driver.c
+++ b/ext/pdo_firebird/firebird_driver.c
@@ -293,7 +293,7 @@ static FbTokenType getToken(const char** begin, const char* end)
 	return ret;
 }
 
-int preprocess(const zend_string* sql, char* sql_out, HashTable* named_params)
+int preprocess(const zend_string* sql, char* sql_out, size_t* sql_out_len, HashTable* named_params)
 {
 	bool passAsIs = 1, execBlock = 0;
 	zend_long pindex = -1;
@@ -324,7 +324,7 @@ int preprocess(const zend_string* sql, char* sql_out, HashTable* named_params)
 	if (l > 252) {
 		return 0;
 	}
-	strncpy(ident, i, l);
+	memcpy(ident, i, l);
 	ident[l] = '\0';
 	if (!strcasecmp(ident, "EXECUTE"))
 	{
@@ -349,7 +349,7 @@ int preprocess(const zend_string* sql, char* sql_out, HashTable* named_params)
 		if (l > 252) {
 			return 0;
 		}
-		strncpy(ident2, i2, l);
+		memcpy(ident2, i2, l);
 		ident2[l] = '\0';
 		execBlock = !strcasecmp(ident2, "BLOCK");
 		passAsIs = 0;
@@ -365,11 +365,15 @@ int preprocess(const zend_string* sql, char* sql_out, HashTable* named_params)
 
 	if (passAsIs)
 	{
-		strcpy(sql_out, ZSTR_VAL(sql));
+		memcpy(sql_out, ZSTR_VAL(sql), ZSTR_LEN(sql));
+		sql_out[ZSTR_LEN(sql)] = '\0';
+		*sql_out_len = ZSTR_LEN(sql);
 		return 1;
 	}
 
-	strncat(sql_out, start, p - start);
+	char *sql_out_p = sql_out;
+	memcpy(sql_out_p, start, p - start);
+	sql_out_p += p - start;
 
 	while (p < end)
 	{
@@ -377,10 +381,12 @@ int preprocess(const zend_string* sql, char* sql_out, HashTable* named_params)
 		tok = getToken(&p, end);
 		switch (tok)
 		{
-		case ttParamMark:
-			tok = getToken(&p, end);
+		case ttParamMark: {
+			const char* p_peek = p;
+			tok = getToken(&p_peek, end);
 			if (tok == ttIdent /*|| tok == ttString*/)
 			{
+				p = p_peek;
 				++pindex;
 				l = p - start;
 				/* check the length of the identifier */
@@ -389,7 +395,7 @@ int preprocess(const zend_string* sql, char* sql_out, HashTable* named_params)
 				if (l > 253) {
 					return 0;
 				}
-				strncpy(pname, start, l);
+				memcpy(pname, start, l);
 				pname[l] = '\0';
 
 				if (named_params) {
@@ -398,7 +404,7 @@ int preprocess(const zend_string* sql, char* sql_out, HashTable* named_params)
 					zend_hash_str_update(named_params, pname, l, &tmp);
 				}
 
-				strcat(sql_out, "?");
+				*sql_out_p++ = '?';
 			}
 			else
 			{
@@ -408,10 +414,11 @@ int preprocess(const zend_string* sql, char* sql_out, HashTable* named_params)
 					return 0;
 				}
 				++pindex;
-				strncat(sql_out, start, p - start);
+				memcpy(sql_out_p, start, p - start);
+				sql_out_p += p - start;
 			}
 			break;
-
+		}
 		case ttIdent:
 			if (execBlock)
 			{
@@ -423,11 +430,14 @@ int preprocess(const zend_string* sql, char* sql_out, HashTable* named_params)
 				if (l > 252) {
 					return 0;
 				}
-				strncpy(ident, start, l);
+				memcpy(ident, start, l);
 				ident[l] = '\0';
 				if (!strcasecmp(ident, "AS"))
 				{
-					strncat(sql_out, start, end - start);
+					memcpy(sql_out_p, start, end - start);
+					sql_out_p += end - start;
+					*sql_out_p = '\0';
+					*sql_out_len = sql_out_p - sql_out;
 					return 1;
 				}
 			}
@@ -438,7 +448,8 @@ int preprocess(const zend_string* sql, char* sql_out, HashTable* named_params)
 		case ttComment:
 		case ttString:
 		case ttOther:
-			strncat(sql_out, start, p - start);
+			memcpy(sql_out_p, start, p - start);
+			sql_out_p += p - start;
 			break;
 
 		case ttBrokenComment:
@@ -456,6 +467,8 @@ int preprocess(const zend_string* sql, char* sql_out, HashTable* named_params)
 			break;
 		}
 	}
+	*sql_out_p = '\0';
+	*sql_out_len = sql_out_p - sql_out;
 	return 1;
 }
 
@@ -665,7 +678,7 @@ static zend_long firebird_handle_doer(pdo_dbh_t *dbh, const zend_string *sql) /*
 static zend_string* firebird_handle_quoter(pdo_dbh_t *dbh, const zend_string *unquoted, enum pdo_param_type paramtype)
 {
 	size_t qcount = 0;
-	char const *co, *l, *r;
+	char const *co, *l;
 	char *c;
 	size_t quotedlen;
 	zend_string *quoted_str;
@@ -674,9 +687,15 @@ static zend_string* firebird_handle_quoter(pdo_dbh_t *dbh, const zend_string *un
 		return zend_string_init("''", 2, 0);
 	}
 
+	const char * const end = ZSTR_VAL(unquoted) + ZSTR_LEN(unquoted);
+
 	/* Firebird only requires single quotes to be doubled if string lengths are used */
 	/* count the number of ' characters */
-	for (co = ZSTR_VAL(unquoted); (co = strchr(co,'\'')); qcount++, co++);
+	for (co = ZSTR_VAL(unquoted); co < end; co++) {
+		if (*co == '\'') {
+			qcount++;
+		}
+	}
 
 	if (UNEXPECTED(ZSTR_LEN(unquoted) + 2 > ZSTR_MAX_LEN - qcount)) {
 		return NULL;
@@ -688,15 +707,14 @@ static zend_string* firebird_handle_quoter(pdo_dbh_t *dbh, const zend_string *un
 	*c++ = '\'';
 
 	/* foreach (chunk that ends in a quote) */
-	for (l = ZSTR_VAL(unquoted); (r = strchr(l,'\'')); l = r+1) {
-		strncpy(c, l, r-l+1);
-		c += (r-l+1);
-		/* add the second quote */
-		*c++ = '\'';
+	for (l = ZSTR_VAL(unquoted); l < end; l++) {
+		*c++ = *l;
+		if (*l == '\'') {
+			/* add the second quote */
+			*c++ = '\'';
+		}
 	}
 
-	/* copy the remainder */
-	strncpy(c, l, quotedlen-(c-ZSTR_VAL(quoted_str))-1);
 	ZSTR_VAL(quoted_str)[quotedlen-1] = '\'';
 	ZSTR_VAL(quoted_str)[quotedlen]   = '\0';
 
@@ -789,6 +807,7 @@ static int firebird_alloc_prepare_stmt(pdo_dbh_t *dbh, const zend_string *sql,
 {
 	pdo_firebird_db_handle *H = (pdo_firebird_db_handle *)dbh->driver_data;
 	char *new_sql;
+	size_t new_sql_len;
 
 	/* Firebird allows SQL statements up to 64k, so bail if it doesn't fit */
 	if (ZSTR_LEN(sql) > 65536) {
@@ -816,14 +835,14 @@ static int firebird_alloc_prepare_stmt(pdo_dbh_t *dbh, const zend_string *sql,
 	   we need to replace :foo by ?, and store the name we just replaced */
 	new_sql = emalloc(ZSTR_LEN(sql)+1);
 	new_sql[0] = '\0';
-	if (!preprocess(sql, new_sql, named_params)) {
+	if (!preprocess(sql, new_sql, &new_sql_len, named_params)) {
 		strcpy(dbh->error_code, "07000");
 		efree(new_sql);
 		return 0;
 	}
 
 	/* prepare the statement */
-	if (isc_dsql_prepare(H->isc_status, &H->tr, s, 0, new_sql, H->sql_dialect, out_sqlda)) {
+	if (isc_dsql_prepare(H->isc_status, &H->tr, s, new_sql_len, new_sql, H->sql_dialect, out_sqlda)) {
 		RECORD_ERROR(dbh);
 		efree(new_sql);
 		return 0;
diff --git a/ext/pdo_firebird/tests/ghsa-w476-322c-wpvm.phpt b/ext/pdo_firebird/tests/ghsa-w476-322c-wpvm.phpt
new file mode 100644
index 000000000000..41c1125e9b9c
--- /dev/null
+++ b/ext/pdo_firebird/tests/ghsa-w476-322c-wpvm.phpt
@@ -0,0 +1,44 @@
+--TEST--
+GHSA-w476-322c-wpvm: SQL injection in pdo_firebird via NUL bytes in quoted strings
+--EXTENSIONS--
+pdo_firebird
+--SKIPIF--
+<?php require('skipif.inc'); ?>
+--XLEAK--
+A bug in firebird causes a memory leak when calling `isc_attach_database()`.
+See https://github.com/FirebirdSQL/firebird/issues/7849
+--FILE--
+<?php
+
+require("testdb.inc");
+
+$dbh->exec('CREATE TABLE ghsa_w476_322c_wpvm (name VARCHAR(255))');
+
+$param = $dbh->quote("\0");
+$param2 = $dbh->quote('or 1=1--');
+var_export($param);
+echo("\n");
+
+echo "prepare: ";
+$stmt = $dbh->prepare("SELECT * FROM ghsa_w476_322c_wpvm WHERE name = {$param} AND name = {$param2}");
+$stmt->execute();
+echo json_encode($stmt->fetchAll(PDO::FETCH_ASSOC)) . "\n";
+
+echo "query:   ";
+$stmt = $dbh->query("SELECT * FROM ghsa_w476_322c_wpvm WHERE name = {$param} AND name = {$param2}");
+echo json_encode($stmt->fetchAll(PDO::FETCH_ASSOC)) . "\n";
+
+echo "exec:    ";
+$affectedRows = $dbh->exec("UPDATE ghsa_w476_322c_wpvm SET name = 'updated' WHERE name = {$param} AND name = {$param2}");
+echo $affectedRows . "\n";
+?>
+--CLEAN--
+<?php
+require 'testdb.inc';
+$dbh->exec("DROP TABLE ghsa_w476_322c_wpvm");
+?>
+--EXPECT--
+'\'' . "\0" . '\''
+prepare: []
+query:   []
+exec:    0

From 47def8ce1db1fdbffcfc1f5bb11877a0e22d4b32 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@tideways-gmbh.com>
Date: Sun, 3 May 2026 20:02:57 +0200
Subject: [PATCH 10/16] GHSA-96wq-48vp-hh57: [metaphone] Fix signed integer
 overflow of char array offset

Fixes GHSA-96wq-48vp-hh57
Fixes CVE-2026-7568
---
 ext/standard/metaphone.c                    |  6 +++---
 ext/standard/tests/GHSA-96wq-48vp-hh57.phpt | 22 +++++++++++++++++++++
 2 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 ext/standard/tests/GHSA-96wq-48vp-hh57.phpt

diff --git a/ext/standard/metaphone.c b/ext/standard/metaphone.c
index 2ba7a839c88e..7affde44de1f 100644
--- a/ext/standard/metaphone.c
+++ b/ext/standard/metaphone.c
@@ -117,10 +117,10 @@ static const char _codes[26] =
 
 /* Allows us to safely look ahead an arbitrary # of letters */
 /* I probably could have just used strlen... */
-static char Lookahead(char *word, int how_far)
+static char Lookahead(char *word, size_t how_far)
 {
 	char letter_ahead = '\0';	/* null by default */
-	int idx;
+	size_t idx;
 	for (idx = 0; word[idx] != '\0' && idx < how_far; idx++);
 	/* Edge forward in the string... */
 
@@ -161,7 +161,7 @@ static char Lookahead(char *word, int how_far)
 /* {{{ metaphone */
 static void metaphone(unsigned char *word, size_t word_len, zend_long max_phonemes, zend_string **phoned_word, int traditional)
 {
-	int w_idx = 0;				/* point in the phonization we're at. */
+	size_t w_idx = 0;				/* point in the phonization we're at. */
 	size_t p_idx = 0;				/* end of the phoned phrase */
 	size_t max_buffer_len = 0;		/* maximum length of the destination buffer */
 	ZEND_ASSERT(word != NULL);
diff --git a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
new file mode 100644
index 000000000000..79c6b6567339
--- /dev/null
+++ b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GHSA-96wq-48vp-hh57: signed integer overflow of char array offset
+--CREDITS--
+012git012
+--INI--
+memory_limit=3G
+--SKIPIF--
+<?php
+if (!getenv('RUN_RESOURCE_HEAVY_TESTS')) die('skip resource-heavy test');
+if (getenv('SKIP_SLOW_TESTS')) die('skip slow test');
+if (PHP_INT_SIZE != 8) echo 'skip 64-bit only';
+?>
+--FILE--
+<?php
+
+$str = str_repeat('0', 2 * (1024 ** 3) - 2) . 'AE';
+metaphone($str, 1);
+
+?>
+===DONE===
+--EXPECT--
+===DONE===

From a38418777f65780d9d622197677e90567690fc07 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 3 May 2026 20:03:18 +0200
Subject: [PATCH 11/16] GHSA-m8rr-4c36-8gq4: Consistently pass unsigned char to
 ctype.h functions

Fixes GHSA-m8rr-4c36-8gq4
Fixes CVE-2026-7258
---
 Zend/zend_compile.c                 |  2 +-
 Zend/zend_ini.c                     |  6 +++---
 Zend/zend_operators.c               |  8 ++++----
 Zend/zend_virtual_cwd.c             | 10 +++++-----
 Zend/zend_virtual_cwd.h             |  2 +-
 ext/com_dotnet/com_extension.c      |  4 ++--
 ext/date/lib/parse_date.c           | 10 +++++-----
 ext/date/lib/parse_date.re          | 10 +++++-----
 ext/date/lib/parse_iso_intervals.c  |  4 ++--
 ext/date/lib/parse_iso_intervals.re |  4 ++--
 ext/date/lib/timelib.c              |  2 +-
 ext/filter/logical_filters.c        | 10 +++++-----
 ext/ftp/ftp.c                       | 10 +++++-----
 ext/gd/libgd/gd_xbm.c               |  2 +-
 ext/imap/php_imap.c                 |  2 +-
 ext/intl/locale/locale_methods.c    |  2 +-
 ext/mbstring/mbstring.c             |  4 ++--
 ext/mbstring/php_mbregex.c          |  2 +-
 ext/pcre/php_pcre.c                 |  4 ++--
 ext/pdo/pdo.c                       |  2 +-
 ext/pdo/pdo_sql_parser.re           |  2 +-
 ext/pdo/pdo_stmt.c                  |  2 +-
 ext/standard/dl.c                   |  2 +-
 ext/standard/exec.c                 |  2 +-
 ext/standard/file.c                 |  2 +-
 ext/standard/filters.c              |  2 +-
 ext/standard/formatted_print.c      |  8 ++++----
 ext/standard/ftp_fopen_wrapper.c    | 12 ++++++------
 ext/standard/html.c                 |  4 ++--
 ext/standard/math.c                 |  6 +++---
 ext/standard/metaphone.c            | 18 ++++++++---------
 ext/standard/quot_print.c           |  8 ++++----
 ext/standard/scanf.c                | 10 +++++-----
 ext/standard/soundex.c              |  2 +-
 ext/standard/string.c               | 14 +++++++-------
 ext/standard/strnatcmp.c            | 30 ++++++++++++++---------------
 ext/standard/type.c                 |  2 +-
 ext/standard/url.c                  | 20 +++++++++----------
 ext/standard/url_scanner_ex.re      |  6 +++---
 ext/standard/versioning.c           | 16 +++++++--------
 main/SAPI.c                         |  6 +++---
 main/fopen_wrappers.c               |  6 +++---
 main/php_ini.c                      |  2 +-
 main/php_ini_builder.c              |  2 +-
 main/php_variables.c                |  4 ++--
 main/rfc1867.c                      | 12 ++++++------
 main/snprintf.c                     | 14 +++++++-------
 main/spprintf.c                     | 14 +++++++-------
 main/streams/streams.c              |  4 ++--
 main/streams/transports.c           |  2 +-
 sapi/cli/php_cli_server.c           |  2 +-
 sapi/fpm/fpm/fpm_conf.c             |  4 ++--
 sapi/litespeed/lsapi_main.c         |  4 ++--
 sapi/litespeed/lsapilib.c           |  6 +++---
 sapi/phpdbg/phpdbg_cmd.c            |  4 ++--
 sapi/phpdbg/phpdbg_prompt.c         |  2 +-
 sapi/phpdbg/phpdbg_utils.c          | 10 +++++-----
 win32/sendmail.c                    |  6 +++---
 58 files changed, 186 insertions(+), 186 deletions(-)

diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 52b3417234cf..bea764453b82 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -1977,7 +1977,7 @@ ZEND_API size_t zend_dirname(char *path, size_t len)
 	/* Note that on Win32 CWD is per drive (heritage from CP/M).
 	 * This means dirname("c:foo") maps to "c:." or "c:" - which means CWD on C: drive.
 	 */
-	if ((2 <= len) && isalpha((int)((unsigned char *)path)[0]) && (':' == path[1])) {
+	if ((2 <= len) && isalpha((unsigned char)path[0]) && (':' == path[1])) {
 		/* Skip over the drive spec (if any) so as not to change */
 		path += 2;
 		len_adjust += 2;
diff --git a/Zend/zend_ini.c b/Zend/zend_ini.c
index cfa394d43e97..3201eec04922 100644
--- a/Zend/zend_ini.c
+++ b/Zend/zend_ini.c
@@ -555,7 +555,7 @@ static const char *zend_ini_consume_quantity_prefix(const char *const digits, co
 		++digits_consumed;
 	}
 
-	if (digits_consumed[0] == '0' && !isdigit(digits_consumed[1])) {
+	if (digits_consumed[0] == '0' && !isdigit((unsigned char)digits_consumed[1])) {
 		/* Value is just 0 */
 		if ((digits_consumed+1) == str_end) {
 			return digits;
@@ -608,7 +608,7 @@ static zend_ulong zend_ini_parse_quantity_internal(zend_string *value, zend_ini_
 	}
 
 	/* if there is no digit after +/- */
-	if (!isdigit(digits[0])) {
+	if (!isdigit((unsigned char)digits[0])) {
 		/* Escape the string to avoid null bytes and to make non-printable chars
 		 * visible */
 		smart_str_append_escaped(&invalid, ZSTR_VAL(value), ZSTR_LEN(value));
@@ -622,7 +622,7 @@ static zend_ulong zend_ini_parse_quantity_internal(zend_string *value, zend_ini_
 	}
 
 	int base = 0;
-	if (digits[0] == '0' && !isdigit(digits[1])) {
+	if (digits[0] == '0' && !isdigit((unsigned char)digits[1])) {
 		/* Value is just 0 */
 		if ((digits+1) == str_end) {
 			*errstr = NULL;
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index 02ca378bd854..e1d7141b586a 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -3038,8 +3038,8 @@ ZEND_API int ZEND_FASTCALL zend_binary_strcasecmp_l(const char *s1, size_t len1,
 
 	len = MIN(len1, len2);
 	while (len--) {
-		c1 = zend_tolower((int)*(unsigned char *)s1++);
-		c2 = zend_tolower((int)*(unsigned char *)s2++);
+		c1 = zend_tolower((unsigned char)*(s1++));
+		c2 = zend_tolower((unsigned char)*(s2++));
 		if (c1 != c2) {
 			return c1 - c2;
 		}
@@ -3059,8 +3059,8 @@ ZEND_API int ZEND_FASTCALL zend_binary_strncasecmp_l(const char *s1, size_t len1
 	}
 	len = MIN(length, MIN(len1, len2));
 	while (len--) {
-		c1 = zend_tolower((int)*(unsigned char *)s1++);
-		c2 = zend_tolower((int)*(unsigned char *)s2++);
+		c1 = zend_tolower((unsigned char)*(s1++));
+		c2 = zend_tolower((unsigned char)*(s2++));
 		if (c1 != c2) {
 			return c1 - c2;
 		}
diff --git a/Zend/zend_virtual_cwd.c b/Zend/zend_virtual_cwd.c
index 64fc16517405..a2ea4de165f4 100644
--- a/Zend/zend_virtual_cwd.c
+++ b/Zend/zend_virtual_cwd.c
@@ -195,7 +195,7 @@ void virtual_cwd_main_cwd_init(uint8_t reinit) /* {{{ */
 	main_cwd_state.cwd_length = strlen(cwd);
 #ifdef ZEND_WIN32
 	if (main_cwd_state.cwd_length >= 2 && cwd[1] == ':') {
-		cwd[0] = toupper(cwd[0]);
+		cwd[0] = toupper((unsigned char)cwd[0]);
 	}
 #endif
 	main_cwd_state.cwd = strdup(cwd);
@@ -273,7 +273,7 @@ CWD_API char *virtual_getcwd_ex(size_t *length) /* {{{ */
 		*length = state->cwd_length+1;
 		retval = (char *) emalloc(*length+1);
 		memcpy(retval, state->cwd, *length);
-		retval[0] = toupper(retval[0]);
+		retval[0] = toupper((unsigned char)retval[0]);
 		retval[*length-1] = DEFAULT_SLASH;
 		retval[*length] = '\0';
 		return retval;
@@ -1115,7 +1115,7 @@ CWD_API int virtual_file_ex(cwd_state *state, const char *path, verify_path_func
 			if (resolved_path[start] == 0) {
 				goto verify;
 			}
-			resolved_path[start] = toupper(resolved_path[start]);
+			resolved_path[start] = toupper((unsigned char)resolved_path[start]);
 			start++;
 		}
 		resolved_path[start++] = DEFAULT_SLASH;
@@ -1123,13 +1123,13 @@ CWD_API int virtual_file_ex(cwd_state *state, const char *path, verify_path_func
 			if (resolved_path[start] == 0) {
 				goto verify;
 			}
-			resolved_path[start] = toupper(resolved_path[start]);
+			resolved_path[start] = toupper((unsigned char)resolved_path[start]);
 			start++;
 		}
 		resolved_path[start++] = DEFAULT_SLASH;
 	} else if (IS_ABSOLUTE_PATH(resolved_path, path_length)) {
 		/* skip DRIVE name */
-		resolved_path[0] = toupper(resolved_path[0]);
+		resolved_path[0] = toupper((unsigned char)resolved_path[0]);
 		resolved_path[2] = DEFAULT_SLASH;
 		start = 3;
 	}
diff --git a/Zend/zend_virtual_cwd.h b/Zend/zend_virtual_cwd.h
index 28cbf6300b8e..dee1d6e7c0a7 100644
--- a/Zend/zend_virtual_cwd.h
+++ b/Zend/zend_virtual_cwd.h
@@ -85,7 +85,7 @@ typedef unsigned short mode_t;
 #define IS_UNC_PATH(path, len) \
 	(len >= 2 && IS_SLASH(path[0]) && IS_SLASH(path[1]))
 #define IS_ABSOLUTE_PATH(path, len) \
-	(len >= 2 && (/* is local */isalpha(path[0]) && path[1] == ':' || /* is UNC */IS_SLASH(path[0]) && IS_SLASH(path[1])))
+	(len >= 2 && (/* is local */isalpha((unsigned char)(path)[0]) && path[1] == ':' || /* is UNC */IS_SLASH(path[0]) && IS_SLASH(path[1])))
 
 #else
 #ifdef HAVE_DIRENT_H
diff --git a/ext/com_dotnet/com_extension.c b/ext/com_dotnet/com_extension.c
index 95361a4b9a9e..692358a0e6ed 100644
--- a/ext/com_dotnet/com_extension.c
+++ b/ext/com_dotnet/com_extension.c
@@ -119,11 +119,11 @@ static PHP_INI_MH(OnTypeLibFileUpdate)
 		}
 
 		/* Remove leading/training white spaces on search_string */
-		while (isspace(*typelib_name)) {/* Ends on '\0' in worst case */
+		while (isspace((unsigned char)*typelib_name)) {/* Ends on '\0' in worst case */
 			typelib_name ++;
 		}
 		ptr = typelib_name + strlen(typelib_name) - 1;
-		while ((ptr != typelib_name) && isspace(*ptr)) {
+		while ((ptr != typelib_name) && isspace((unsigned char)*ptr)) {
 			*ptr = '\0';
 			ptr--;
 		}
diff --git a/ext/date/lib/parse_date.c b/ext/date/lib/parse_date.c
index ea1602ef13b4..050ca7def286 100644
--- a/ext/date/lib/parse_date.c
+++ b/ext/date/lib/parse_date.c
@@ -511,7 +511,7 @@ static timelib_sll timelib_get_nr(const char **ptr, int max_length)
 
 static void timelib_skip_day_suffix(const char **ptr)
 {
-	if (isspace(**ptr)) {
+	if (isspace((unsigned char)**ptr)) {
 		return;
 	}
 	if (!timelib_strncasecmp(*ptr, "nd", 2) || !timelib_strncasecmp(*ptr, "rd", 2) ||!timelib_strncasecmp(*ptr, "st", 2) || !timelib_strncasecmp(*ptr, "th", 2)) {
@@ -852,7 +852,7 @@ static timelib_long timelib_parse_tz_cor(const char **ptr, int *tz_not_found)
 
 	*tz_not_found = 1;
 
-	while (isdigit(**ptr) || **ptr == ':') {
+	while (isdigit((unsigned char)**ptr) || **ptr == ':') {
 		++*ptr;
 	}
 	end = *ptr;
@@ -917,7 +917,7 @@ static timelib_long timelib_parse_tz_minutes(const char **ptr, timelib_time *t)
 	}
 
 	++*ptr;
-	while (isdigit(**ptr)) {
+	while (isdigit((unsigned char)**ptr)) {
 		++*ptr;
 	}
 
@@ -24860,10 +24860,10 @@ timelib_time *timelib_strtotime(const char *s, size_t len, timelib_error_contain
 	in.errors->error_messages = NULL;
 
 	if (len > 0) {
-		while (isspace(*s) && s < e) {
+		while (isspace((unsigned char)*s) && s < e) {
 			s++;
 		}
-		while (isspace(*e) && e > s) {
+		while (isspace((unsigned char)*e) && e > s) {
 			e--;
 		}
 	}
diff --git a/ext/date/lib/parse_date.re b/ext/date/lib/parse_date.re
index d32be9bfe7be..2f405d9381d5 100644
--- a/ext/date/lib/parse_date.re
+++ b/ext/date/lib/parse_date.re
@@ -509,7 +509,7 @@ static timelib_sll timelib_get_nr(const char **ptr, int max_length)
 
 static void timelib_skip_day_suffix(const char **ptr)
 {
-	if (isspace(**ptr)) {
+	if (isspace((unsigned char)**ptr)) {
 		return;
 	}
 	if (!timelib_strncasecmp(*ptr, "nd", 2) || !timelib_strncasecmp(*ptr, "rd", 2) ||!timelib_strncasecmp(*ptr, "st", 2) || !timelib_strncasecmp(*ptr, "th", 2)) {
@@ -850,7 +850,7 @@ static timelib_long timelib_parse_tz_cor(const char **ptr, int *tz_not_found)
 
 	*tz_not_found = 1;
 
-	while (isdigit(**ptr) || **ptr == ':') {
+	while (isdigit((unsigned char)**ptr) || **ptr == ':') {
 		++*ptr;
 	}
 	end = *ptr;
@@ -915,7 +915,7 @@ static timelib_long timelib_parse_tz_minutes(const char **ptr, timelib_time *t)
 	}
 
 	++*ptr;
-	while (isdigit(**ptr)) {
+	while (isdigit((unsigned char)**ptr)) {
 		++*ptr;
 	}
 
@@ -2010,10 +2010,10 @@ timelib_time *timelib_strtotime(const char *s, size_t len, timelib_error_contain
 	in.errors->error_messages = NULL;
 
 	if (len > 0) {
-		while (isspace(*s) && s < e) {
+		while (isspace((unsigned char)*s) && s < e) {
 			s++;
 		}
-		while (isspace(*e) && e > s) {
+		while (isspace((unsigned char)*e) && e > s) {
 			e--;
 		}
 	}
diff --git a/ext/date/lib/parse_iso_intervals.c b/ext/date/lib/parse_iso_intervals.c
index cdc329431ec4..d5fa782b8f3c 100644
--- a/ext/date/lib/parse_iso_intervals.c
+++ b/ext/date/lib/parse_iso_intervals.c
@@ -985,10 +985,10 @@ void timelib_strtointerval(const char *s, size_t len,
 	in.errors->error_messages = NULL;
 
 	if (len > 0) {
-		while (isspace(*s) && s < e) {
+		while (isspace((unsigned char)*s) && s < e) {
 			s++;
 		}
-		while (isspace(*e) && e > s) {
+		while (isspace((unsigned char)*e) && e > s) {
 			e--;
 		}
 	}
diff --git a/ext/date/lib/parse_iso_intervals.re b/ext/date/lib/parse_iso_intervals.re
index 2a394156f98d..009420077513 100644
--- a/ext/date/lib/parse_iso_intervals.re
+++ b/ext/date/lib/parse_iso_intervals.re
@@ -343,10 +343,10 @@ void timelib_strtointerval(const char *s, size_t len,
 	in.errors->error_messages = NULL;
 
 	if (len > 0) {
-		while (isspace(*s) && s < e) {
+		while (isspace((unsigned char)*s) && s < e) {
 			s++;
 		}
-		while (isspace(*e) && e > s) {
+		while (isspace((unsigned char)*e) && e > s) {
 			e--;
 		}
 	}
diff --git a/ext/date/lib/timelib.c b/ext/date/lib/timelib.c
index 6473a2798a80..faf383a5fa12 100644
--- a/ext/date/lib/timelib.c
+++ b/ext/date/lib/timelib.c
@@ -126,7 +126,7 @@ void timelib_time_tz_abbr_update(timelib_time* tm, const char* tz_abbr)
 	TIMELIB_TIME_FREE(tm->tz_abbr);
 	tm->tz_abbr = timelib_strdup(tz_abbr);
 	for (i = 0; i < tz_abbr_len; i++) {
-		tm->tz_abbr[i] = toupper(tz_abbr[i]);
+		tm->tz_abbr[i] = toupper((unsigned char)tz_abbr[i]);
 	}
 }
 
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
index 0ce2498f3a3a..36d53f330589 100644
--- a/ext/filter/logical_filters.c
+++ b/ext/filter/logical_filters.c
@@ -528,21 +528,21 @@ static int _php_filter_validate_domain(char * domain, size_t len, zend_long flag
 	}
 
 	/* First char must be alphanumeric */
-	if(*s == '.' || (hostname && !isalnum((int)*(unsigned char *)s))) {
+	if(*s == '.' || (hostname && !isalnum((unsigned char)*s))) {
 		return 0;
 	}
 
 	while (s < e) {
 		if (*s == '.') {
 			/* The first and the last character of a label must be alphanumeric */
-			if (*(s + 1) == '.' || (hostname && (!isalnum((int)*(unsigned char *)(s - 1)) || !isalnum((int)*(unsigned char *)(s + 1))))) {
+			if (*(s + 1) == '.' || (hostname && (!isalnum((unsigned char)s[-1]) || !isalnum((unsigned char)s[1])))) {
 				return 0;
 			}
 
 			/* Reset label length counter */
 			i = 1;
 		} else {
-			if (i > 63 || (hostname && (*s != '-' || *(s + 1) == '\0') && !isalnum((int)*(unsigned char *)s))) {
+			if (i > 63 || (hostname && (*s != '-' || *(s + 1) == '\0') && !isalnum((unsigned char)*s))) {
 				return 0;
 			}
 
@@ -569,9 +569,9 @@ static int is_userinfo_valid(zend_string *str)
 	const char *valid = "-._~!$&'()*+,;=:";
 	const char *p = ZSTR_VAL(str);
 	while (p - ZSTR_VAL(str) < ZSTR_LEN(str)) {
-		if (isalpha(*p) || isdigit(*p) || strchr(valid, *p)) {
+		if (isalpha((unsigned char)*p) || isdigit((unsigned char)*p) || strchr(valid, *p)) {
 			p++;
-		} else if (*p == '%' && p - ZSTR_VAL(str) <= ZSTR_LEN(str) - 3 && isdigit(*(p+1)) && isxdigit(*(p+2))) {
+		} else if (*p == '%' && p - ZSTR_VAL(str) <= ZSTR_LEN(str) - 3 && isdigit((unsigned char)p[1]) && isxdigit((unsigned char)p[2])) {
 			p += 3;
 		} else {
 			return 0;
diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c
index dd1f9d6654ce..b89c854989c5 100644
--- a/ext/ftp/ftp.c
+++ b/ext/ftp/ftp.c
@@ -523,7 +523,7 @@ ftp_raw(ftpbuf_t *ftp, const char *cmd, const size_t cmd_len, zval *return_value
 	array_init(return_value);
 	while (ftp_readline(ftp)) {
 		add_next_index_string(return_value, ftp->inbuf);
-		if (isdigit(ftp->inbuf[0]) && isdigit(ftp->inbuf[1]) && isdigit(ftp->inbuf[2]) && ftp->inbuf[3] == ' ') {
+		if (isdigit((unsigned char)ftp->inbuf[0]) && isdigit((unsigned char)ftp->inbuf[1]) && isdigit((unsigned char)ftp->inbuf[2]) && ftp->inbuf[3] == ' ') {
 			return;
 		}
 	}
@@ -865,7 +865,7 @@ ftp_pasv(ftpbuf_t *ftp, int pasv)
 		return 0;
 	}
 	/* parse out the IP and port */
-	for (ptr = ftp->inbuf; *ptr && !isdigit(*ptr); ptr++);
+	for (ptr = ftp->inbuf; *ptr && !isdigit((unsigned char)*ptr); ptr++);
 	n = sscanf(ptr, "%lu,%lu,%lu,%lu,%lu,%lu", &b[0], &b[1], &b[2], &b[3], &b[4], &b[5]);
 	if (n != 6) {
 		return 0;
@@ -1168,7 +1168,7 @@ ftp_mdtm(ftpbuf_t *ftp, const char *path, const size_t path_len)
 		return -1;
 	}
 	/* parse out the timestamp */
-	for (ptr = ftp->inbuf; *ptr && !isdigit(*ptr); ptr++);
+	for (ptr = ftp->inbuf; *ptr && !isdigit((unsigned char)*ptr); ptr++);
 	n = sscanf(ptr, "%4d%2d%2d%2d%2d%2d", &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec);
 	if (n != 6) {
 		return -1;
@@ -1366,13 +1366,13 @@ ftp_getresp(ftpbuf_t *ftp)
 		}
 
 		/* Break out when the end-tag is found */
-		if (isdigit(ftp->inbuf[0]) && isdigit(ftp->inbuf[1]) && isdigit(ftp->inbuf[2]) && ftp->inbuf[3] == ' ') {
+		if (isdigit((unsigned char)ftp->inbuf[0]) && isdigit((unsigned char)ftp->inbuf[1]) && isdigit((unsigned char)ftp->inbuf[2]) && ftp->inbuf[3] == ' ') {
 			break;
 		}
 	}
 
 	/* translate the tag */
-	if (!isdigit(ftp->inbuf[0]) || !isdigit(ftp->inbuf[1]) || !isdigit(ftp->inbuf[2])) {
+	if (!isdigit((unsigned char)ftp->inbuf[0]) || !isdigit((unsigned char)ftp->inbuf[1]) || !isdigit((unsigned char)ftp->inbuf[2])) {
 		return 0;
 	}
 
diff --git a/ext/gd/libgd/gd_xbm.c b/ext/gd/libgd/gd_xbm.c
index 3c655a2998c1..8efb34fbb0d4 100644
--- a/ext/gd/libgd/gd_xbm.c
+++ b/ext/gd/libgd/gd_xbm.c
@@ -191,7 +191,7 @@ void gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOCtx * out)
 	} else {
 		for (i=0; i<l; i++) {
 			/* only in C-locale isalnum() would work */
-			if (!isupper(name[i]) && !islower(name[i]) && !isdigit(name[i])) {
+			if (!isupper((unsigned char)name[i]) && !islower((unsigned char)name[i]) && !isdigit((unsigned char)name[i])) {
 				name[i] = '_';
 			}
 		}
diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
index be0a36038df8..6676d24800dc 100644
--- a/ext/imap/php_imap.c
+++ b/ext/imap/php_imap.c
@@ -2164,7 +2164,7 @@ PHP_FUNCTION(imap_utf8)
 #define SPECIAL(c) ((c) <= 0x1f || (c) >= 0x7f)
 
 /* validate a modified-base64 character */
-#define B64CHAR(c) (isalnum(c) || (c) == '+' || (c) == ',')
+#define B64CHAR(c) (isalnum((unsigned char)(c)) || (c) == '+' || (c) == ',')
 
 /* map the low 64 bits of `n' to the modified-base64 characters */
 #define B64(n)	("ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c
index d6053b6be56d..eda801815b5c 100644
--- a/ext/intl/locale/locale_methods.c
+++ b/ext/intl/locale/locale_methods.c
@@ -1229,7 +1229,7 @@ static int strToMatch(const char* str ,char *retstr)
 			if( *str == '-' ){
 				*retstr =  '_';
 			} else {
-				*retstr = tolower(*str);
+				*retstr = tolower((unsigned char)*str);
 			}
 				str++;
 				retstr++;
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index 7efefb77e570..18231eccf94f 100644
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -642,7 +642,7 @@ static char *php_mb_rfc1867_getword(const zend_encoding *encoding, char **line,
 
 static char *php_mb_rfc1867_getword_conf(const zend_encoding *encoding, char *str) /* {{{ */
 {
-	while (*str && isspace(*(unsigned char *)str)) {
+	while (*str && isspace((unsigned char)*str)) {
 		++str;
 	}
 
@@ -658,7 +658,7 @@ static char *php_mb_rfc1867_getword_conf(const zend_encoding *encoding, char *st
 	} else {
 		char *strend = str;
 
-		while (*strend && !isspace(*(unsigned char *)strend)) {
+		while (*strend && !isspace((unsigned char)*strend)) {
 			++strend;
 		}
 		return php_mb_rfc1867_substring_conf(encoding, str, strend - str, 0);
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 08195e1765ec..d37d3e96f23f 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -784,7 +784,7 @@ static inline void mb_regex_substitute(
 						continue;
 					}
 					if (name_end[0] == delim) break;
-					if (maybe_num && !isdigit(name_end[0])) maybe_num = 0;
+					if (maybe_num && !isdigit((unsigned char)name_end[0])) maybe_num = 0;
 					name_end++;
 				}
 				p = name_end + 1;
diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c
index 4c1d8db47c11..ce7eb1259fa6 100644
--- a/ext/pcre/php_pcre.c
+++ b/ext/pcre/php_pcre.c
@@ -634,7 +634,7 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache_ex(zend_string *regex, in
 
 	/* Parse through the leading whitespace, and display a warning if we
 	   get to the end without encountering a delimiter. */
-	while (isspace((int)*(unsigned char *)p)) p++;
+	while (isspace((unsigned char)*p)) p++;
 	if (p >= end_p) {
 		if (key != regex) {
 			zend_string_release_ex(key, 0);
@@ -647,7 +647,7 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache_ex(zend_string *regex, in
 	/* Get the delimiter and display a warning if it is alphanumeric
 	   or a backslash. */
 	delimiter = *p++;
-	if (isalnum((int)*(unsigned char *)&delimiter) || delimiter == '\\' || delimiter == '\0') {
+	if (isalnum((unsigned char)delimiter) || delimiter == '\\' || delimiter == '\0') {
 		if (key != regex) {
 			zend_string_release_ex(key, 0);
 		}
diff --git a/ext/pdo/pdo.c b/ext/pdo/pdo.c
index e8738db9f85a..683b2392b8f9 100644
--- a/ext/pdo/pdo.c
+++ b/ext/pdo/pdo.c
@@ -229,7 +229,7 @@ PDO_API int php_pdo_parse_data_source(const char *data_source, zend_ulong data_s
 			}
 		}
 
-		while (i < data_source_len && isspace(data_source[i])) {
+		while (i < data_source_len && isspace((unsigned char)data_source[i])) {
 			i++;
 		}
 
diff --git a/ext/pdo/pdo_sql_parser.re b/ext/pdo/pdo_sql_parser.re
index 7f4721d12a63..7d2823523961 100644
--- a/ext/pdo/pdo_sql_parser.re
+++ b/ext/pdo/pdo_sql_parser.re
@@ -105,7 +105,7 @@ PDO_API int pdo_parse_params(pdo_stmt_t *stmt, zend_string *inquery, zend_string
 
 			if (t == PDO_PARSER_BIND) {
 				ptrdiff_t len = s.cur - s.tok;
-				if ((ZSTR_VAL(inquery) < (s.cur - len)) && isalnum(*(s.cur - len - 1))) {
+				if ((ZSTR_VAL(inquery) < (s.cur - len)) && isalnum((unsigned char)s.cur[-len - 1])) {
 					continue;
 				}
 				query_type |= PDO_PLACEHOLDER_NAMED;
diff --git a/ext/pdo/pdo_stmt.c b/ext/pdo/pdo_stmt.c
index 13180e29ee86..2c3313c77dc1 100644
--- a/ext/pdo/pdo_stmt.c
+++ b/ext/pdo/pdo_stmt.c
@@ -148,7 +148,7 @@ bool pdo_stmt_describe_columns(pdo_stmt_t *stmt) /* {{{ */
 					stmt->columns[col].name = zend_string_separate(orig_name, 0);
 					char *s = ZSTR_VAL(stmt->columns[col].name);
 					while (*s != '\0') {
-						*s = toupper(*s);
+						*s = toupper((unsigned char)*s);
 						s++;
 					}
 					break;
diff --git a/ext/standard/dl.c b/ext/standard/dl.c
index 04670fc0adf8..b80534decf6b 100644
--- a/ext/standard/dl.c
+++ b/ext/standard/dl.c
@@ -93,7 +93,7 @@ PHPAPI void *php_load_shlib(const char *path, char **errp)
 			size_t i = strlen(err);
 			(*errp)=estrdup(err);
 			php_win32_error_msg_free(err);
-			while (i > 0 && isspace((*errp)[i-1])) { (*errp)[i-1] = '\0'; i--; }
+			while (i > 0 && isspace((unsigned char)(*errp)[i-1])) { (*errp)[i-1] = '\0'; i--; }
 		} else {
 			(*errp) = estrdup("<No message>");
 		}
diff --git a/ext/standard/exec.c b/ext/standard/exec.c
index 1b1b0ab9e9ce..49f78f8c0ce5 100644
--- a/ext/standard/exec.c
+++ b/ext/standard/exec.c
@@ -83,7 +83,7 @@ PHP_MINIT_FUNCTION(exec)
 
 static size_t strip_trailing_whitespace(char *buf, size_t bufl) {
 	size_t l = bufl;
-	while (l-- > 0 && isspace(((unsigned char *)buf)[l]));
+	while (l-- > 0 && isspace((unsigned char)buf[l]));
 	if (l != (bufl - 1)) {
 		bufl = l + 1;
 		buf[bufl] = '\0';
diff --git a/ext/standard/file.c b/ext/standard/file.c
index 5a1fa2cec936..30f05683b598 100644
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -1968,7 +1968,7 @@ PHPAPI HashTable *php_fgetcsv(php_stream *stream, char delimiter, char enclosure
 		inc_len = (bptr < limit ? (*bptr == '\0' ? 1 : php_mblen(bptr, limit - bptr)): 0);
 		if (inc_len == 1) {
 			char *tmp = bptr;
-			while ((*tmp != delimiter) && isspace((int)*(unsigned char *)tmp)) {
+			while ((*tmp != delimiter) && isspace((unsigned char)*tmp)) {
 				tmp++;
 			}
 			if (*tmp == enclosure && tmp < limit) {
diff --git a/ext/standard/filters.c b/ext/standard/filters.c
index 9b54b3deab18..08678f8d5d81 100644
--- a/ext/standard/filters.c
+++ b/ext/standard/filters.c
@@ -958,7 +958,7 @@ static php_conv_err_t php_conv_qprint_decode_convert(php_conv_qprint_decode *ins
 					goto out;
 				}
 
-				if (!isxdigit((int) *ps)) {
+				if (!isxdigit(*ps)) {
 					err = PHP_CONV_ERR_INVALID_SEQ;
 					goto out;
 				}
diff --git a/ext/standard/formatted_print.c b/ext/standard/formatted_print.c
index b988422df21c..a1927b5fe88a 100644
--- a/ext/standard/formatted_print.c
+++ b/ext/standard/formatted_print.c
@@ -378,7 +378,7 @@ php_sprintf_getnumber(char **buffer, size_t *len)
 
 int php_sprintf_get_argnum(char **format, size_t *format_len) {
 	char *temppos = *format;
-	while (isdigit((int) *temppos)) temppos++;
+	while (isdigit((unsigned char)*temppos)) temppos++;
 	if (*temppos != '$') {
 		return ARG_NUM_NEXT;
 	}
@@ -466,7 +466,7 @@ php_formatted_print(char *format, size_t format_len, zval *args, int argc, int n
 
 			PRINTF_DEBUG(("sprintf: first looking at '%c', inpos=%d\n",
 						  *format, format - Z_STRVAL_P(z_format)));
-			if (isalpha((int)*format)) {
+			if (isalpha((unsigned char)*format)) {
 				width = precision = 0;
 				argnum = ARG_NUM_NEXT;
 			} else {
@@ -535,7 +535,7 @@ php_formatted_print(char *format, size_t format_len, zval *args, int argc, int n
 					}
 					width = Z_LVAL_P(tmp);
 					adjusting |= ADJ_WIDTH;
-				} else if (isdigit((int)*format)) {
+				} else if (isdigit((unsigned char)*format)) {
 					PRINTF_DEBUG(("sprintf: getting width\n"));
 					if ((width = php_sprintf_getnumber(&format, &format_len)) < 0) {
 						zend_value_error("Width must be greater than zero and less than %d", INT_MAX);
@@ -580,7 +580,7 @@ php_formatted_print(char *format, size_t format_len, zval *args, int argc, int n
 						precision = Z_LVAL_P(tmp);
 						adjusting |= ADJ_PRECISION;
 						expprec = 1;
-					} else if (isdigit((int)*format)) {
+					} else if (isdigit((unsigned char)*format)) {
 						if ((precision = php_sprintf_getnumber(&format, &format_len)) < 0) {
 							zend_value_error("Precision must be greater than zero and less than %d", INT_MAX);
 							goto fail;
diff --git a/ext/standard/ftp_fopen_wrapper.c b/ext/standard/ftp_fopen_wrapper.c
index db135ec02ecb..d6d72cf30f12 100644
--- a/ext/standard/ftp_fopen_wrapper.c
+++ b/ext/standard/ftp_fopen_wrapper.c
@@ -78,8 +78,8 @@ static inline int get_ftp_result(php_stream *stream, char *buffer, size_t buffer
 {
 	buffer[0] = '\0'; /* in case read fails to read anything */
 	while (php_stream_gets(stream, buffer, buffer_size-1) &&
-		   !(isdigit((int) buffer[0]) && isdigit((int) buffer[1]) &&
-			 isdigit((int) buffer[2]) && buffer[3] == ' '));
+		   !(isdigit((unsigned char)buffer[0]) && isdigit((unsigned char)buffer[1]) &&
+			 isdigit((unsigned char)buffer[2]) && buffer[3] == ' '));
 	return strtol(buffer, NULL, 10);
 }
 /* }}} */
@@ -228,7 +228,7 @@ static php_stream *php_ftp_fopen_connect(php_stream_wrapper *wrapper, const char
 #define PHP_FTP_CNTRL_CHK(val, val_len, err_msg) {	\
 	unsigned char *s = (unsigned char *) val, *e = (unsigned char *) s + val_len;	\
 	while (s < e) {	\
-		if (iscntrl(*s)) {	\
+		if (iscntrl((unsigned char)*s)) {	\
 			php_stream_wrapper_log_error(wrapper, options, err_msg, val);	\
 			goto connect_errexit;	\
 		}	\
@@ -339,14 +339,14 @@ static unsigned short php_fopen_do_pasv(php_stream *stream, char *ip, size_t ip_
 		/* parse pasv command (129, 80, 95, 25, 13, 221) */
 		tpath = tmp_line;
 		/* skip over the "227 Some message " part */
-		for (tpath += 4; *tpath && !isdigit((int) *tpath); tpath++);
+		for (tpath += 4; *tpath && !isdigit((unsigned char)*tpath); tpath++);
 		if (!*tpath) {
 			return 0;
 		}
 		/* skip over the host ip, to get the port */
 		hoststart = tpath;
 		for (i = 0; i < 4; i++) {
-			for (; isdigit((int) *tpath); tpath++);
+			for (; isdigit((unsigned char)*tpath); tpath++);
 			if (*tpath != ',') {
 				return 0;
 			}
@@ -826,7 +826,7 @@ static int php_stream_ftp_url_stat(php_stream_wrapper *wrapper, const char *url,
 		struct tm tm, tmbuf, *gmt;
 		time_t stamp;
 
-		while ((size_t)(p - tmp_line) < sizeof(tmp_line) && !isdigit(*p)) {
+		while ((size_t)(p - tmp_line) < sizeof(tmp_line) && !isdigit((unsigned char)*p)) {
 			p++;
 		}
 
diff --git a/ext/standard/html.c b/ext/standard/html.c
index d76ba5b0101d..e3e91bb3a27a 100644
--- a/ext/standard/html.c
+++ b/ext/standard/html.c
@@ -682,8 +682,8 @@ static inline int process_numeric_entity(const char **buf, unsigned *code_point)
 
 	/* strtol allows whitespace and other stuff in the beginning
 		* we're not interested */
-	if ((hexadecimal && !isxdigit(**buf)) ||
-			(!hexadecimal && !isdigit(**buf))) {
+	if ((hexadecimal && !isxdigit((unsigned char)**buf)) ||
+			(!hexadecimal && !isdigit((unsigned char)**buf))) {
 		return FAILURE;
 	}
 
diff --git a/ext/standard/math.c b/ext/standard/math.c
index 8643676b03e7..af5869c88bc5 100644
--- a/ext/standard/math.c
+++ b/ext/standard/math.c
@@ -727,9 +727,9 @@ PHPAPI void _php_math_basetozval(zend_string *str, int base, zval *ret)
 	e = s + ZSTR_LEN(str);
 
 	/* Skip leading whitespace */
-	while (s < e && isspace(*s)) s++;
+	while (s < e && isspace((unsigned char)*s)) s++;
 	/* Skip trailing whitespace */
-	while (s < e && isspace(*(e-1))) e--;
+	while (s < e && isspace((unsigned char)e[-1])) e--;
 
 	if (e - s >= 2) {
 		if (base == 16 && s[0] == '0' && (s[1] == 'x' || s[1] == 'X')) s += 2;
@@ -1031,7 +1031,7 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, const char *de
 	tmpbuf = strpprintf(0, "%.*F", dec, d);
 	if (tmpbuf == NULL) {
 		return NULL;
-	} else if (!isdigit((int)ZSTR_VAL(tmpbuf)[0])) {
+	} else if (!isdigit((unsigned char)ZSTR_VAL(tmpbuf)[0])) {
 		return tmpbuf;
 	}
 
diff --git a/ext/standard/metaphone.c b/ext/standard/metaphone.c
index 7affde44de1f..01ae1f965c19 100644
--- a/ext/standard/metaphone.c
+++ b/ext/standard/metaphone.c
@@ -78,7 +78,7 @@ static const char _codes[26] =
 };
 
 
-#define ENCODE(c) (isalpha(c) ? _codes[((toupper(c)) - 'A')] : 0)
+#define ENCODE(c) (isalpha((unsigned char)(c)) ? _codes[((toupper((unsigned char)(c))) - 'A')] : 0)
 
 #define isvowel(c)  (ENCODE(c) & 1)		/* AEIOU */
 
@@ -102,17 +102,17 @@ static const char _codes[26] =
  * accesssing the array directly... */
 
 /* Look at the next letter in the word */
-#define Next_Letter (toupper(word[w_idx+1]))
+#define Next_Letter (toupper((unsigned char)word[w_idx+1]))
 /* Look at the current letter in the word */
-#define Curr_Letter (toupper(word[w_idx]))
+#define Curr_Letter (toupper((unsigned char)word[w_idx]))
 /* Go N letters back. */
-#define Look_Back_Letter(n)	(w_idx >= n ? toupper(word[w_idx-n]) : '\0')
+#define Look_Back_Letter(n)	(w_idx >= n ? toupper((unsigned char)word[w_idx-n]) : '\0')
 /* Previous letter.  I dunno, should this return null on failure? */
 #define Prev_Letter (Look_Back_Letter(1))
 /* Look two letters down.  It makes sure you don't walk off the string. */
-#define After_Next_Letter	(Next_Letter != '\0' ? toupper(word[w_idx+2]) \
+#define After_Next_Letter	(Next_Letter != '\0' ? toupper((unsigned char)word[w_idx+2]) \
 											     : '\0')
-#define Look_Ahead_Letter(n) (toupper(Lookahead((char *) word+w_idx, n)))
+#define Look_Ahead_Letter(n) (toupper((unsigned char)Lookahead((char *) word+w_idx, n)))
 
 
 /* Allows us to safely look ahead an arbitrary # of letters */
@@ -156,7 +156,7 @@ static char Lookahead(char *word, size_t how_far)
 #define Phone_Len	(p_idx)
 
 /* Note is a letter is a 'break' in the word */
-#define Isbreak(c)  (!isalpha(c))
+#define Isbreak(c)  (!isalpha((unsigned char)(c)))
 
 /* {{{ metaphone */
 static void metaphone(unsigned char *word, size_t word_len, zend_long max_phonemes, zend_string **phoned_word, int traditional)
@@ -179,7 +179,7 @@ static void metaphone(unsigned char *word, size_t word_len, zend_long max_phonem
 
 /*-- The first phoneme has to be processed specially. --*/
 	/* Find our first letter */
-	for (; !isalpha(Curr_Letter); w_idx++) {
+	for (; !isalpha((unsigned char)Curr_Letter); w_idx++) {
 		/* On the off chance we were given nothing but crap... */
 		if (Curr_Letter == '\0') {
 			End_Phoned_Word();
@@ -263,7 +263,7 @@ static void metaphone(unsigned char *word, size_t word_len, zend_long max_phonem
 		 */
 
 		/* Ignore non-alphas */
-		if (!isalpha(Curr_Letter))
+		if (!isalpha((unsigned char)Curr_Letter))
 			continue;
 
 		/* Drop duplicates, except CC */
diff --git a/ext/standard/quot_print.c b/ext/standard/quot_print.c
index e6aa2e43f4c6..fba61f9f484a 100644
--- a/ext/standard/quot_print.c
+++ b/ext/standard/quot_print.c
@@ -216,11 +216,11 @@ PHP_FUNCTION(quoted_printable_decode)
 		switch (str_in[i]) {
 		case '=':
 			if (str_in[i + 1] && str_in[i + 2] &&
-				isxdigit((int) str_in[i + 1]) &&
-				isxdigit((int) str_in[i + 2]))
+				isxdigit((unsigned char)str_in[i + 1]) &&
+				isxdigit((unsigned char)str_in[i + 2]))
 			{
-				ZSTR_VAL(str_out)[j++] = (php_hex2int((int) str_in[i + 1]) << 4)
-						+ php_hex2int((int) str_in[i + 2]);
+				ZSTR_VAL(str_out)[j++] = (php_hex2int((unsigned char)str_in[i + 1]) << 4)
+						+ php_hex2int((unsigned char)str_in[i + 2]);
 				i += 3;
 			} else  /* check for soft line break according to RFC 2045*/ {
 				k = 1;
diff --git a/ext/standard/scanf.c b/ext/standard/scanf.c
index 408e5ede8881..8754bd7580fd 100644
--- a/ext/standard/scanf.c
+++ b/ext/standard/scanf.c
@@ -345,7 +345,7 @@ PHPAPI int ValidateFormat(char *format, int numVars, int *totalSubs)
 			goto xpgCheckDone;
 		}
 
-		if ( isdigit( (int)*ch ) ) {
+		if ( isdigit( (unsigned char)*ch ) ) {
 			/*
 			 * Check for an XPG3-style %n$ specification.  Note: there
 			 * must not be a mixture of XPG3 specs and non-XPG3 specs
@@ -656,9 +656,9 @@ PHPAPI int php_sscanf_internal( char *string, char *format,
 		/*
 		 * If we see whitespace in the format, skip whitespace in the string.
 		 */
-		if ( isspace( (int)*ch ) ) {
+		if ( isspace( (unsigned char)*ch ) ) {
 			sch = *string;
-			while ( isspace( (int)sch ) ) {
+			while ( isspace( (unsigned char)sch ) ) {
 				if (*string == '\0') {
 					goto done;
 				}
@@ -809,7 +809,7 @@ PHPAPI int php_sscanf_internal( char *string, char *format,
 		if (!(flags & SCAN_NOSKIP)) {
 			while (*string != '\0') {
 				sch = *string;
-				if (! isspace((int)sch) ) {
+				if (! isspace((unsigned char)sch) ) {
 					break;
 				}
 				string++;
@@ -835,7 +835,7 @@ PHPAPI int php_sscanf_internal( char *string, char *format,
 				end = string;
 				while (*end != '\0') {
 					sch = *end;
-					if ( isspace( (int)sch ) ) {
+					if ( isspace( (unsigned char)sch ) ) {
 						break;
 					}
 					end++;
diff --git a/ext/standard/soundex.c b/ext/standard/soundex.c
index 7d50be97e75e..4dded617a659 100644
--- a/ext/standard/soundex.c
+++ b/ext/standard/soundex.c
@@ -67,7 +67,7 @@ PHP_FUNCTION(soundex)
 		/* BUG: should also map here accented letters used in non */
 		/* English words or names (also found in English text!): */
 		/* esstsett, thorn, n-tilde, c-cedilla, s-caron, ... */
-		code = toupper((int)(unsigned char)str[i]);
+		code = toupper((unsigned char)str[i]);
 		if (code >= 'A' && code <= 'Z') {
 			if (_small == 0) {
 				/* remember first valid char */
diff --git a/ext/standard/string.c b/ext/standard/string.c
index 0cc8af0ef366..cd23e67bdea5 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -3537,9 +3537,9 @@ PHPAPI void php_stripcslashes(zend_string *str)
 				case 'f':  *target++='\f'; nlen--; break;
 				case '\\': *target++='\\'; nlen--; break;
 				case 'x':
-					if (source+1 < end && isxdigit((int)(*(source+1)))) {
+					if (source+1 < end && isxdigit((unsigned char)source[1])) {
 						numtmp[0] = *++source;
-						if (source+1 < end && isxdigit((int)(*(source+1)))) {
+						if (source+1 < end && isxdigit((unsigned char)source[1])) {
 							numtmp[1] = *++source;
 							numtmp[2] = '\0';
 							nlen-=3;
@@ -4396,7 +4396,7 @@ PHP_FUNCTION(hebrev)
 
 	do {
 		if (block_type == _HEB_BLOCK_TYPE_HEB) {
-			while ((isheb((int)*(tmp+1)) || _isblank((int)*(tmp+1)) || ispunct((int)*(tmp+1)) || (int)*(tmp+1)=='\n' ) && block_end<str_len-1) {
+			while ((isheb((int)*(tmp+1)) || _isblank((int)*(tmp+1)) || ispunct((unsigned char)tmp[1]) || (int)*(tmp+1)=='\n' ) && block_end<str_len-1) {
 				tmp++;
 				block_end++;
 			}
@@ -4444,7 +4444,7 @@ PHP_FUNCTION(hebrev)
 				tmp++;
 				block_end++;
 			}
-			while ((_isblank((int)*tmp) || ispunct((int)*tmp)) && *tmp!='/' && *tmp!='-' && block_end > block_start) {
+			while ((_isblank((int)*tmp) || ispunct((unsigned char)*tmp)) && *tmp!='/' && *tmp!='-' && block_end > block_start) {
 				tmp--;
 				block_end--;
 			}
@@ -4827,7 +4827,7 @@ static bool php_tag_find(char *tag, size_t len, const char *set) {
 				done =1;
 				break;
 			default:
-				if (!isspace((int)c)) {
+				if (!isspace((unsigned char)c)) {
 					if (state == 0) {
 						state=1;
 					}
@@ -4917,7 +4917,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, const char *allow, size_
 			if (in_q) {
 				break;
 			}
-			if (isspace(*(p + 1)) && !allow_tag_spaces) {
+			if (isspace((unsigned char)p[1]) && !allow_tag_spaces) {
 				*(rp++) = c;
 				break;
 			}
@@ -4964,7 +4964,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, const char *allow, size_
 			if (in_q) {
 				break;
 			}
-			if (isspace(*(p + 1)) && !allow_tag_spaces) {
+			if (isspace((unsigned char)p[1]) && !allow_tag_spaces) {
 				goto reg_char_1;
 			}
 			depth++;
diff --git a/ext/standard/strnatcmp.c b/ext/standard/strnatcmp.c
index 3c3f5a99232f..583cbb5dc47a 100644
--- a/ext/standard/strnatcmp.c
+++ b/ext/standard/strnatcmp.c
@@ -40,12 +40,12 @@ compare_right(char const **a, char const *aend, char const **b, char const *bend
 	   both numbers to know that they have the same magnitude, so we
 	   remember it in BIAS. */
 	for(;; (*a)++, (*b)++) {
-		if ((*a == aend || !isdigit((int)(unsigned char)**a)) &&
-			(*b == bend || !isdigit((int)(unsigned char)**b)))
+		if ((*a == aend || !isdigit((unsigned char)**a)) &&
+			(*b == bend || !isdigit((unsigned char)**b)))
 			return bias;
-		else if (*a == aend || !isdigit((int)(unsigned char)**a))
+		else if (*a == aend || !isdigit((unsigned char)**a))
 			return -1;
-		else if (*b == bend || !isdigit((int)(unsigned char)**b))
+		else if (*b == bend || !isdigit((unsigned char)**b))
 			return +1;
 		else if (**a < **b) {
 			if (!bias)
@@ -67,12 +67,12 @@ compare_left(char const **a, char const *aend, char const **b, char const *bend)
 	/* Compare two left-aligned numbers: the first to have a
 	   different value wins. */
 	for(;; (*a)++, (*b)++) {
-		if ((*a == aend || !isdigit((int)(unsigned char)**a)) &&
-			(*b == bend || !isdigit((int)(unsigned char)**b)))
+		if ((*a == aend || !isdigit((unsigned char)**a)) &&
+			(*b == bend || !isdigit((unsigned char)**b)))
 			return 0;
-		else if (*a == aend || !isdigit((int)(unsigned char)**a))
+		else if (*a == aend || !isdigit((unsigned char)**a))
 			return -1;
-		else if (*b == bend || !isdigit((int)(unsigned char)**b))
+		else if (*b == bend || !isdigit((unsigned char)**b))
 			return +1;
 		 else if (**a < **b)
 			 return -1;
@@ -103,27 +103,27 @@ PHPAPI int strnatcmp_ex(char const *a, size_t a_len, char const *b, size_t b_len
 	ca = *ap; cb = *bp;
 
 	/* skip over leading zeros */
-	while (ca == '0' && (ap+1 < aend) && isdigit((int)(unsigned char)*(ap+1))) {
+	while (ca == '0' && (ap+1 < aend) && isdigit((unsigned char)ap[1])) {
 		ca = *++ap;
 	}
 
-	while (cb == '0' && (bp+1 < bend) && isdigit((int)(unsigned char)*(bp+1))) {
+	while (cb == '0' && (bp+1 < bend) && isdigit((unsigned char)bp[1])) {
 		cb = *++bp;
 	}
 
 	while (1) {
 
 		/* Skip consecutive whitespace */
-		while (isspace((int)(unsigned char)ca)) {
+		while (isspace(ca)) {
 			ca = *++ap;
 		}
 
-		while (isspace((int)(unsigned char)cb)) {
+		while (isspace(cb)) {
 			cb = *++bp;
 		}
 
 		/* process run of digits */
-		if (isdigit((int)(unsigned char)ca)  &&  isdigit((int)(unsigned char)cb)) {
+		if (isdigit(ca)  &&  isdigit(cb)) {
 			fractional = (ca == '0' || cb == '0');
 
 			if (fractional)
@@ -147,8 +147,8 @@ PHPAPI int strnatcmp_ex(char const *a, size_t a_len, char const *b, size_t b_len
 		}
 
 		if (is_case_insensitive) {
-			ca = toupper((int)(unsigned char)ca);
-			cb = toupper((int)(unsigned char)cb);
+			ca = toupper(ca);
+			cb = toupper(cb);
 		}
 
 		if (ca < cb)
diff --git a/ext/standard/type.c b/ext/standard/type.c
index a564446bd8ba..ed5d5458dcab 100644
--- a/ext/standard/type.c
+++ b/ext/standard/type.c
@@ -161,7 +161,7 @@ PHP_FUNCTION(intval)
 		char *strval = Z_STRVAL_P(num);
 		size_t strlen = Z_STRLEN_P(num);
 
-		while (isspace(*strval) && strlen) {
+		while (isspace((unsigned char)*strval) && strlen) {
 			strval++;
 			strlen--;
 		}
diff --git a/ext/standard/url.c b/ext/standard/url.c
index e3d95768fb01..def29df906a2 100644
--- a/ext/standard/url.c
+++ b/ext/standard/url.c
@@ -117,7 +117,7 @@ PHPAPI php_url *php_url_parse_ex2(char const *str, size_t length, bool *has_port
 		p = s;
 		while (p < e) {
 			/* scheme = 1*[ lowalpha | digit | "+" | "-" | "." ] */
-			if (!isalpha(*p) && !isdigit(*p) && *p != '+' && *p != '.' && *p != '-') {
+			if (!isalpha((unsigned char)*p) && !isdigit((unsigned char)*p) && *p != '+' && *p != '.' && *p != '-') {
 				if (e + 1 < ue && e < binary_strcspn(s, ue, "?#")) {
 					goto parse_port;
 				} else if (s + 1 < ue && *s == '/' && *(s + 1) == '/') { /* relative-scheme URL */
@@ -146,7 +146,7 @@ PHPAPI php_url *php_url_parse_ex2(char const *str, size_t length, bool *has_port
 			 * correctly parse things like a.com:80
 			 */
 			p = e + 1;
-			while (p < ue && isdigit(*p)) {
+			while (p < ue && isdigit((unsigned char)*p)) {
 				p++;
 			}
 
@@ -186,7 +186,7 @@ PHPAPI php_url *php_url_parse_ex2(char const *str, size_t length, bool *has_port
 		p = e + 1;
 		pp = p;
 
-		while (pp < ue && pp - p < 6 && isdigit(*pp)) {
+		while (pp < ue && pp - p < 6 && isdigit((unsigned char)*pp)) {
 			pp++;
 		}
 
@@ -429,12 +429,12 @@ static int php_htoi(char *s)
 	int value;
 	int c;
 
-	c = ((unsigned char *)s)[0];
+	c = (unsigned char)s[0];
 	if (isupper(c))
 		c = tolower(c);
 	value = (c >= '0' && c <= '9' ? c - '0' : c - 'a' + 10) * 16;
 
-	c = ((unsigned char *)s)[1];
+	c = (unsigned char)s[1];
 	if (isupper(c))
 		c = tolower(c);
 	value += c >= '0' && c <= '9' ? c - '0' : c - 'a' + 10;
@@ -601,8 +601,8 @@ PHPAPI size_t php_url_decode(char *str, size_t len)
 		if (*data == '+') {
 			*dest = ' ';
 		}
-		else if (*data == '%' && len >= 2 && isxdigit((int) *(data + 1))
-				 && isxdigit((int) *(data + 2))) {
+		else if (*data == '%' && len >= 2 && isxdigit((unsigned char)data[1])
+				 && isxdigit((unsigned char)data[2])) {
 			*dest = (char) php_htoi(data + 1);
 			data += 2;
 			len -= 2;
@@ -660,8 +660,8 @@ PHPAPI size_t php_raw_url_decode(char *str, size_t len)
 	char *data = str;
 
 	while (len--) {
-		if (*data == '%' && len >= 2 && isxdigit((int) *(data + 1))
-			&& isxdigit((int) *(data + 2))) {
+		if (*data == '%' && len >= 2 && isxdigit((unsigned char)data[1])
+			&& isxdigit((unsigned char)data[2])) {
 			*dest = (char) php_htoi(data + 1);
 			data += 2;
 			len -= 2;
@@ -722,7 +722,7 @@ PHP_FUNCTION(get_headers)
 				c = *p;
 				*p = '\0';
 				s = p + 1;
-				while (isspace((int)*(unsigned char *)s)) {
+				while (isspace((unsigned char)*s)) {
 					s++;
 				}
 
diff --git a/ext/standard/url_scanner_ex.re b/ext/standard/url_scanner_ex.re
index b22cf3cc49c1..866b9bcc0dbf 100644
--- a/ext/standard/url_scanner_ex.re
+++ b/ext/standard/url_scanner_ex.re
@@ -85,7 +85,7 @@ static int php_ini_on_update_tags(zend_ini_entry *entry, zend_string *new_value,
 
 			*val++ = '\0';
 			for (q = key; *q; q++) {
-				*q = tolower(*q);
+				*q = tolower((unsigned char)*q);
 			}
 			keylen = q - key;
 			str = zend_string_init(key, keylen, 1);
@@ -134,7 +134,7 @@ static int php_ini_on_update_hosts(zend_ini_entry *entry, zend_string *new_value
 		char *q;
 
 		for (q = key; *q; q++) {
-			*q = tolower(*q);
+			*q = tolower((unsigned char)*q);
 		}
 		keylen = q - key;
 		if (keylen > 0) {
@@ -456,7 +456,7 @@ static inline void handle_tag(STD_PARA)
 	}
 	smart_str_appendl(&ctx->tag, start, YYCURSOR - start);
 	for (i = 0; i < ZSTR_LEN(ctx->tag.s); i++)
-		ZSTR_VAL(ctx->tag.s)[i] = tolower((int)(unsigned char)ZSTR_VAL(ctx->tag.s)[i]);
+		ZSTR_VAL(ctx->tag.s)[i] = tolower((unsigned char)ZSTR_VAL(ctx->tag.s)[i]);
     /* intentionally using str_find here, in case the hash value is set, but the string val is changed later */
 	if ((ctx->lookup_data = zend_hash_str_find_ptr(ctx->tags, ZSTR_VAL(ctx->tag.s), ZSTR_LEN(ctx->tag.s))) != NULL) {
 		ok = 1;
diff --git a/ext/standard/versioning.c b/ext/standard/versioning.c
index aa60d9746722..178539709c7a 100644
--- a/ext/standard/versioning.c
+++ b/ext/standard/versioning.c
@@ -45,8 +45,8 @@ php_canonicalize_version(const char *version)
  *  s/([^\d\.])([^\D\.])/$1.$2/g;
  *  s/([^\D\.])([^\d\.])/$1.$2/g;
  */
-#define isdig(x) (isdigit(x)&&(x)!='.')
-#define isndig(x) (!isdigit(x)&&(x)!='.')
+#define isdig(x) (isdigit((unsigned char)(x))&&(x)!='.')
+#define isndig(x) (!isdigit((unsigned char)(x))&&(x)!='.')
 #define isspecialver(x) ((x)=='-'||(x)=='_'||(x)=='+')
 
 		lq = *(q - 1);
@@ -59,7 +59,7 @@ php_canonicalize_version(const char *version)
 				*q++ = '.';
 			}
 			*q++ = *p;
-		} else if (!isalnum(*p)) {
+		} else if (!isalnum((unsigned char)*p)) {
 			if (lq != '.') {
 				*q++ = '.';
 			}
@@ -152,17 +152,17 @@ php_version_compare(const char *orig_ver1, const char *orig_ver2)
 		if ((n2 = strchr(p2, '.')) != NULL) {
 			*n2 = '\0';
 		}
-		if (isdigit(*p1) && isdigit(*p2)) {
+		if (isdigit((unsigned char)*p1) && isdigit((unsigned char)*p2)) {
 			/* compare element numerically */
 			l1 = strtol(p1, NULL, 10);
 			l2 = strtol(p2, NULL, 10);
 			compare = ZEND_NORMALIZE_BOOL(l1 - l2);
-		} else if (!isdigit(*p1) && !isdigit(*p2)) {
+		} else if (!isdigit((unsigned char)*p1) && !isdigit((unsigned char)*p2)) {
 			/* compare element names */
 			compare = compare_special_version_forms(p1, p2);
 		} else {
 			/* mix of names and numbers */
-			if (isdigit(*p1)) {
+			if (isdigit((unsigned char)*p1)) {
 				compare = compare_special_version_forms("#N#", p2);
 			} else {
 				compare = compare_special_version_forms(p1, "#N#");
@@ -180,13 +180,13 @@ php_version_compare(const char *orig_ver1, const char *orig_ver2)
 	}
 	if (compare == 0) {
 		if (n1 != NULL) {
-			if (isdigit(*p1)) {
+			if (isdigit((unsigned char)*p1)) {
 				compare = 1;
 			} else {
 				compare = php_version_compare(p1, "#N#");
 			}
 		} else if (n2 != NULL) {
-			if (isdigit(*p2)) {
+			if (isdigit((unsigned char)*p2)) {
 				compare = -1;
 			} else {
 				compare = php_version_compare("#N#", p2);
diff --git a/main/SAPI.c b/main/SAPI.c
index d0226ded65be..79014cf3e279 100644
--- a/main/SAPI.c
+++ b/main/SAPI.c
@@ -193,7 +193,7 @@ static void sapi_read_post_data(void)
 				*p = 0;
 				break;
 			default:
-				*p = tolower(*p);
+				*p = tolower((unsigned char)*p);
 				break;
 		}
 	}
@@ -713,10 +713,10 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg)
 	}
 
 	/* cut off trailing spaces, linefeeds and carriage-returns */
-	if (header_line_len && isspace(header_line[header_line_len-1])) {
+	if (header_line_len && isspace((unsigned char)header_line[header_line_len - 1])) {
 		do {
 			header_line_len--;
-		} while(header_line_len && isspace(header_line[header_line_len-1]));
+		} while(header_line_len && isspace((unsigned char)header_line[header_line_len - 1]));
 		header_line[header_line_len]='\0';
 	}
 
diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
index ad59b2b85bf1..ebe57153facf 100644
--- a/main/fopen_wrappers.c
+++ b/main/fopen_wrappers.c
@@ -499,7 +499,7 @@ PHPAPI zend_string *php_resolve_path(const char *filename, size_t filename_lengt
 	}
 
 	/* Don't resolve paths which contain protocol (except of file://) */
-	for (p = filename; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.'; p++);
+	for (p = filename; isalnum((unsigned char)*p) || *p == '+' || *p == '-' || *p == '.'; p++);
 	if ((*p == ':') && (p - filename > 1) && (p[1] == '/') && (p[2] == '/')) {
 		wrapper = php_stream_locate_url_wrapper(filename, &actual_path, STREAM_OPEN_FOR_INCLUDE);
 		if (wrapper == &php_plain_files_wrapper) {
@@ -531,7 +531,7 @@ PHPAPI zend_string *php_resolve_path(const char *filename, size_t filename_lengt
 		/* Check for stream wrapper */
 		int is_stream_wrapper = 0;
 
-		for (p = ptr; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.'; p++);
+		for (p = ptr; isalnum((unsigned char)*p) || *p == '+' || *p == '-' || *p == '.'; p++);
 		if ((*p == ':') && (p - ptr > 1) && (p[1] == '/') && (p[2] == '/')) {
 			/* .:// or ..:// is not a stream wrapper */
 			if (p[-1] != '.' || p[-2] != '.' || p - 2 != ptr) {
@@ -600,7 +600,7 @@ PHPAPI zend_string *php_resolve_path(const char *filename, size_t filename_lengt
 			actual_path = trypath;
 
 			/* Check for stream wrapper */
-			for (p = trypath; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.'; p++);
+			for (p = trypath; isalnum((unsigned char)*p) || *p == '+' || *p == '-' || *p == '.'; p++);
 			if ((*p == ':') && (p - trypath > 1) && (p[1] == '/') && (p[2] == '/')) {
 				wrapper = php_stream_locate_url_wrapper(trypath, &actual_path, STREAM_OPEN_FOR_INCLUDE);
 				if (!wrapper) {
diff --git a/main/php_ini.c b/main/php_ini.c
index 2ff259f6e114..924632fd62a5 100644
--- a/main/php_ini.c
+++ b/main/php_ini.c
@@ -40,7 +40,7 @@
 		char *tmp = path; \
 		while (*tmp) { \
 			if (*tmp == '\\') *tmp = '/'; \
-			else *tmp = tolower(*tmp); \
+			else *tmp = tolower((unsigned char)*tmp); \
 				tmp++; \
 		} \
 	}
diff --git a/main/php_ini_builder.c b/main/php_ini_builder.c
index d214a340343f..e280718e9313 100644
--- a/main/php_ini_builder.c
+++ b/main/php_ini_builder.c
@@ -67,7 +67,7 @@ PHPAPI void php_ini_builder_define(struct php_ini_builder *b, const char *arg)
 
 	if (val != NULL) {
 		val++;
-		if (!isalnum(*val) && *val != '"' && *val != '\'' && *val != '\0') {
+		if (!isalnum((unsigned char)*val) && *val != '"' && *val != '\'' && *val != '\0') {
 			php_ini_builder_quoted(b, arg, val - arg - 1, val, arg + len - val);
 		} else {
 			php_ini_builder_realloc(b, len + strlen("\n"));
diff --git a/main/php_variables.c b/main/php_variables.c
index bac5b1b673b6..8f74d6cf2849 100644
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -220,7 +220,7 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac
 
 			ip++;
 			index_s = ip;
-			if (isspace(*ip)) {
+			if (isspace((unsigned char)*ip)) {
 				ip++;
 			}
 			if (*ip==']') {
@@ -543,7 +543,7 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
 
 		if (arg == PARSE_COOKIE) {
 			/* Remove leading spaces from cookie names, needed for multi-cookie header where ; can be followed by a space */
-			while (isspace(*var)) {
+			while (isspace((unsigned char)*var)) {
 				var++;
 			}
 			if (var == val || *var == '\0') {
diff --git a/main/rfc1867.c b/main/rfc1867.c
index fbfd6e78f999..82f006db9619 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -414,7 +414,7 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header)
 		}
 
 		/* space in the beginning means same header */
-		if (!isspace(line[0])) {
+		if (!isspace((unsigned char)line[0])) {
 			value = strchr(line, ':');
 		}
 
@@ -430,7 +430,7 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header)
 			}
 
 			*value = '\0';
-			do { value++; } while (isspace(*value));
+			do { value++; } while (isspace((unsigned char)*value));
 
 			key = estrdup(line);
 			smart_string_appends(&buf_value, value);
@@ -527,7 +527,7 @@ static char *substring_conf(char *start, int len, char quote)
 
 static char *php_ap_getword_conf(const zend_encoding *encoding, char *str)
 {
-	while (*str && isspace(*str)) {
+	while (*str && isspace((unsigned char)*str)) {
 		++str;
 	}
 
@@ -543,7 +543,7 @@ static char *php_ap_getword_conf(const zend_encoding *encoding, char *str)
 	} else {
 		char *strend = str;
 
-		while (*strend && !isspace(*strend)) {
+		while (*strend && !isspace((unsigned char)*strend)) {
 			++strend;
 		}
 		return substring_conf(str, strend - str, 0);
@@ -810,7 +810,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
 				goto fileupload_done;
 			}
 
-			while (isspace(*cd)) {
+			while (isspace((unsigned char)*cd)) {
 				++cd;
 			}
 
@@ -818,7 +818,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
 			{
 				char *key = NULL, *word = pair;
 
-				while (isspace(*cd)) {
+				while (isspace((unsigned char)*cd)) {
 					++cd;
 				}
 
diff --git a/main/snprintf.c b/main/snprintf.c
index 9acd4efe6d77..2b01da0accec 100644
--- a/main/snprintf.c
+++ b/main/snprintf.c
@@ -288,7 +288,7 @@ PHPAPI char * php_conv_fp(char format, double num,
 	/*
 	 * Check for Infinity and NaN
 	 */
-	if (isalpha((int)*p)) {
+	if (isalpha((unsigned char)*p)) {
 		*len = strlen(p);
 		memcpy(buf, p, *len + 1);
 		*is_negative = false;
@@ -435,11 +435,11 @@ typedef struct buf_area buffy;
 #define NUM( c )			( c - '0' )
 
 #define STR_TO_DEC( str, num )		\
-    num = NUM( *str++ ) ;		\
-    while ( isdigit((int)*str ) )		\
+    num = NUM( *(str)++ ) ;		\
+    while ( isdigit((unsigned char)*(str) ) )		\
     {					\
 	num *= 10 ;			\
-	num += NUM( *str++ ) ;		\
+	num += NUM( *(str)++ ) ;		\
     }
 
 /*
@@ -533,7 +533,7 @@ static size_t format_converter(buffy * odp, const char *fmt, va_list ap) /* {{{
 			/*
 			 * Try to avoid checking for flags, width or precision
 			 */
-			if (isascii((int)*fmt) && !islower((int)*fmt)) {
+			if (isascii((unsigned char)*fmt) && !islower((unsigned char)*fmt)) {
 				/*
 				 * Recognize flags: -, #, BLANK, +
 				 */
@@ -555,7 +555,7 @@ static size_t format_converter(buffy * odp, const char *fmt, va_list ap) /* {{{
 				/*
 				 * Check if a width was specified
 				 */
-				if (isdigit((int)*fmt)) {
+				if (isdigit((unsigned char)*fmt)) {
 					STR_TO_DEC(fmt, min_width);
 					adjust_width = true;
 				} else if (*fmt == '*') {
@@ -575,7 +575,7 @@ static size_t format_converter(buffy * odp, const char *fmt, va_list ap) /* {{{
 				if (*fmt == '.') {
 					adjust_precision = true;
 					fmt++;
-					if (isdigit((int)*fmt)) {
+					if (isdigit((unsigned char)*fmt)) {
 						STR_TO_DEC(fmt, precision);
 					} else if (*fmt == '*') {
 						precision = va_arg(ap, int);
diff --git a/main/spprintf.c b/main/spprintf.c
index 37b81dc6d530..512a178275b8 100644
--- a/main/spprintf.c
+++ b/main/spprintf.c
@@ -148,12 +148,12 @@
 #define NUM(c) (c - '0')
 
 #define STR_TO_DEC(str, num) do {			\
-	num = NUM(*str++);                  	\
-	while (isdigit((int)*str)) {        	\
+	num = NUM(*(str)++);                  	\
+	while (isdigit((unsigned char)*(str))) {\
 		num *= 10;                      	\
-		num += NUM(*str++);             	\
+		num += NUM(*(str)++);             	\
 		if (num >= INT_MAX / 10) {			\
-			while (isdigit((int)*str++));	\
+			while (isdigit((unsigned char)*(str)++));	\
 			break;							\
 		}									\
     }										\
@@ -240,7 +240,7 @@ static void xbuf_format_converter(void *xbuf, bool is_char, const char *fmt, va_
 			/*
 			 * Try to avoid checking for flags, width or precision
 			 */
-			if (isascii((int)*fmt) && !islower((int)*fmt)) {
+			if (isascii((unsigned char)*fmt) && !islower((unsigned char)*fmt)) {
 				/*
 				 * Recognize flags: -, #, BLANK, +
 				 */
@@ -262,7 +262,7 @@ static void xbuf_format_converter(void *xbuf, bool is_char, const char *fmt, va_
 				/*
 				 * Check if a width was specified
 				 */
-				if (isdigit((int)*fmt)) {
+				if (isdigit((unsigned char)*fmt)) {
 					STR_TO_DEC(fmt, min_width);
 					adjust_width = true;
 				} else if (*fmt == '*') {
@@ -282,7 +282,7 @@ static void xbuf_format_converter(void *xbuf, bool is_char, const char *fmt, va_
 				if (*fmt == '.') {
 					adjust_precision = true;
 					fmt++;
-					if (isdigit((int)*fmt)) {
+					if (isdigit((unsigned char)*fmt)) {
 						STR_TO_DEC(fmt, precision);
 					} else if (*fmt == '*') {
 						precision = va_arg(ap, int);
diff --git a/main/streams/streams.c b/main/streams/streams.c
index 4c66d8aadc39..06117a521f53 100644
--- a/main/streams/streams.c
+++ b/main/streams/streams.c
@@ -1856,7 +1856,7 @@ static inline zend_result php_stream_wrapper_scheme_validate(const char *protoco
 	unsigned int i;
 
 	for(i = 0; i < protocol_len; i++) {
-		if (!isalnum((int)protocol[i]) &&
+		if (!isalnum((unsigned char)protocol[i]) &&
 			protocol[i] != '+' &&
 			protocol[i] != '-' &&
 			protocol[i] != '.') {
@@ -1936,7 +1936,7 @@ PHPAPI php_stream_wrapper *php_stream_locate_url_wrapper(const char *path, const
 		return (php_stream_wrapper*)((options & STREAM_LOCATE_WRAPPERS_ONLY) ? NULL : &php_plain_files_wrapper);
 	}
 
-	for (p = path; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.'; p++) {
+	for (p = path; isalnum((unsigned char)*p) || *p == '+' || *p == '-' || *p == '.'; p++) {
 		n++;
 	}
 
diff --git a/main/streams/transports.c b/main/streams/transports.c
index 6fc2848be6e6..0db8f4d0130c 100644
--- a/main/streams/transports.c
+++ b/main/streams/transports.c
@@ -94,7 +94,7 @@ PHPAPI php_stream *_php_stream_xport_create(const char *name, size_t namelen, in
 		}
 	}
 
-	for (p = name; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.'; p++) {
+	for (p = name; isalnum((unsigned char)*p) || *p == '+' || *p == '-' || *p == '.'; p++) {
 		n++;
 	}
 
diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c
index 753196f5f79c..e326d07c37ec 100644
--- a/sapi/cli/php_cli_server.c
+++ b/sapi/cli/php_cli_server.c
@@ -655,7 +655,7 @@ static int sapi_cli_server_register_entry_cb(zval *entry, int num_args, va_list
 			if (key[i] == '-') {
 				key[i] = '_';
 			} else {
-				key[i] = toupper(key[i]);
+				key[i] = toupper((unsigned char)key[i]);
 			}
 		}
 		spprintf(&real_key, 0, "%s_%s", "HTTP", key);
diff --git a/sapi/fpm/fpm/fpm_conf.c b/sapi/fpm/fpm/fpm_conf.c
index 389a85a7d0fc..bb2725fcdfb1 100644
--- a/sapi/fpm/fpm/fpm_conf.c
+++ b/sapi/fpm/fpm/fpm_conf.c
@@ -962,7 +962,7 @@ static int fpm_conf_process_all_pools(void)
 			}
 
 			for (i = 0; i < strlen(status); i++) {
-				if (!isalnum(status[i]) && status[i] != '/' && status[i] != '-' && status[i] != '_' && status[i] != '.' && status[i] != '~') {
+				if (!isalnum((unsigned char)status[i]) && status[i] != '/' && status[i] != '-' && status[i] != '_' && status[i] != '.' && status[i] != '~') {
 					zlog(ZLOG_ERROR, "[pool %s] the status path '%s' must contain only the following characters '[alphanum]/_-.~'", wp->config->name, status);
 					return -1;
 				}
@@ -985,7 +985,7 @@ static int fpm_conf_process_all_pools(void)
 			}
 
 			for (i = 0; i < strlen(ping); i++) {
-				if (!isalnum(ping[i]) && ping[i] != '/' && ping[i] != '-' && ping[i] != '_' && ping[i] != '.' && ping[i] != '~') {
+				if (!isalnum((unsigned char)ping[i]) && ping[i] != '/' && ping[i] != '-' && ping[i] != '_' && ping[i] != '.' && ping[i] != '~') {
 					zlog(ZLOG_ERROR, "[pool %s] the ping path '%s' must contain only the following characters '[alphanum]/_-.~'", wp->config->name, ping);
 					return -1;
 				}
diff --git a/sapi/litespeed/lsapi_main.c b/sapi/litespeed/lsapi_main.c
index 79fae63507c1..5a87699c7c21 100644
--- a/sapi/litespeed/lsapi_main.c
+++ b/sapi/litespeed/lsapi_main.c
@@ -1697,12 +1697,12 @@ PHP_FUNCTION(litespeed_response_headers)
             len = p - h->header;
             if (p && len > 0 && len < LSAPI_RESP_HTTP_HEADER_MAX) {
                 memmove( headerBuf, h->header, len );
-                while( len > 0 && (isspace( headerBuf[len-1])) ) {
+                while( len > 0 && (isspace((unsigned char)headerBuf[len - 1])) ) {
                     --len;
                 }
                 headerBuf[len] = 0;
                 if ( len ) {
-                    while( isspace(*++p));
+                    while(isspace((unsigned char)*++p));
                     add_assoc_string_ex(return_value, headerBuf, len, p);
                 }
             }
diff --git a/sapi/litespeed/lsapilib.c b/sapi/litespeed/lsapilib.c
index fc2882d898d3..57735de28a90 100644
--- a/sapi/litespeed/lsapilib.c
+++ b/sapi/litespeed/lsapilib.c
@@ -2212,7 +2212,7 @@ static char * GetHeaderVar( LSAPI_Request * pReq, const char * name )
 
             while(( pKey < pKeyEnd )&&( *p ))
             {
-                char ch = toupper( *pKey );
+                char ch = toupper( (unsigned char)*pKey );
                 if ((ch != *p )||(( *p == '_' )&&( ch != '-')))
                     break;
                 ++p; ++pKey;
@@ -2396,7 +2396,7 @@ int LSAPI_ForeachHeader_r( LSAPI_Request * pReq,
                 if ( ch == '-' )
                     *p++ = '_';
                 else
-                    *p++ = toupper( ch );
+                    *p++ = toupper( (unsigned char)ch );
             }
             *p = 0;
             keyLen += 5;
@@ -2641,7 +2641,7 @@ int LSAPI_ParseSockAddr( const char * pBind, struct sockaddr * pAddr )
     if ( !pBind )
         return -1;
 
-    while( isspace( *pBind ) )
+    while(isspace( (unsigned char)*pBind ) )
         ++pBind;
 
     strncpy(achAddr, pBind, 255);
diff --git a/sapi/phpdbg/phpdbg_cmd.c b/sapi/phpdbg/phpdbg_cmd.c
index 6045b6564da0..9a87777fe528 100644
--- a/sapi/phpdbg/phpdbg_cmd.c
+++ b/sapi/phpdbg/phpdbg_cmd.c
@@ -782,9 +782,9 @@ PHPDBG_API char *phpdbg_read_input(const char *buffered) /* {{{ */
 		}
 	}
 
-	if (buffer && isspace(*buffer)) {
+	if (buffer && isspace((unsigned char)*buffer)) {
 		char *trimmed = buffer;
-		while (isspace(*trimmed))
+		while (isspace((unsigned char)*trimmed))
 			trimmed++;
 
 		trimmed = estrdup(trimmed);
diff --git a/sapi/phpdbg/phpdbg_prompt.c b/sapi/phpdbg/phpdbg_prompt.c
index 448194f13d26..c6d44a3d8c7b 100644
--- a/sapi/phpdbg/phpdbg_prompt.c
+++ b/sapi/phpdbg/phpdbg_prompt.c
@@ -213,7 +213,7 @@ static void phpdbg_line_init(char *cmd, struct phpdbg_init_state *state) {
 
 	state->line++;
 
-	while (cmd_len > 0L && isspace(cmd[cmd_len-1])) {
+	while (cmd_len > 0L && isspace((unsigned char)cmd[cmd_len-1])) {
 		cmd_len--;
 	}
 
diff --git a/sapi/phpdbg/phpdbg_utils.c b/sapi/phpdbg/phpdbg_utils.c
index f638d608905b..04bc117ffb32 100644
--- a/sapi/phpdbg/phpdbg_utils.c
+++ b/sapi/phpdbg/phpdbg_utils.c
@@ -82,10 +82,10 @@ PHPDBG_API int phpdbg_is_numeric(const char *str) /* {{{ */
 		return 0;
 
 	for (; *str; str++) {
-		if (isspace(*str) || *str == '-') {
+		if (isspace((unsigned char)*str) || *str == '-') {
 			continue;
 		}
-		return isdigit(*str);
+		return isdigit((unsigned char)*str);
 	}
 	return 0;
 } /* }}} */
@@ -96,7 +96,7 @@ PHPDBG_API int phpdbg_is_empty(const char *str) /* {{{ */
 		return 1;
 
 	for (; *str; str++) {
-		if (isspace(*str)) {
+		if (isspace((unsigned char)*str)) {
 			continue;
 		}
 		return 0;
@@ -199,12 +199,12 @@ PHPDBG_API char *phpdbg_trim(const char *str, size_t len, size_t *new_len) /* {{
 	const char *p = str;
 	char *new = NULL;
 
-	while (p && isspace(*p)) {
+	while (p && isspace((unsigned char)*p)) {
 		++p;
 		--len;
 	}
 
-	while (*p && isspace(*(p + len -1))) {
+	while (*p && isspace((unsigned char)p[len - 1])) {
 		--len;
 	}
 
diff --git a/win32/sendmail.c b/win32/sendmail.c
index 6263eaac1a09..f314c39eb97d 100644
--- a/win32/sendmail.c
+++ b/win32/sendmail.c
@@ -57,7 +57,7 @@
 												efree(response); \
 											} \
 										}
-#define SMTP_SKIP_SPACE(str)	{ while (isspace(*str)) { str++; } }
+#define SMTP_SKIP_SPACE(str)	{ while (isspace((unsigned char)*(str))) { (str)++; } }
 
 
 char seps[] = " ,\t\n";
@@ -725,7 +725,7 @@ static int PostHeader(char *RPath, const char *Subject, const char *mailTo, char
 		headers_lc_len = strlen(headers_lc);
 
 		for (i = 0; i < headers_lc_len; i++) {
-			headers_lc[i] = tolower(headers_lc[i]);
+			headers_lc[i] = tolower((unsigned char)headers_lc[i]);
 		}
 	}
 
@@ -853,7 +853,7 @@ return 0;
 
 	/* Resolve the servers IP */
 	/*
-	if (!isdigit(PW32G(mail_host)[0])||!gethostbyname(PW32G(mail_host)))
+	if (!isdigit((unsigned char)PW32G(mail_host)[0])||!gethostbyname(PW32G(mail_host)))
 	{
 		return (FAILED_TO_RESOLVE_HOST);
 	}

From 56ee76f82045ab728f3e63e20bf9530621e829cb Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 3 May 2026 20:11:17 +0200
Subject: [PATCH 12/16] GHSA-74r9-qxhc-fx53: [mbstring] Fix out-of-bounds
 access in mbfl_name2encoding_ex()

Fixes GHSA-74r9-qxhc-fx53
Fixes CVE-2026-6104
---
 ext/mbstring/libmbfl/mbfl/mbfl_encoding.c   |  6 ++-
 ext/mbstring/tests/GHSA-74r9-qxhc-fx53.phpt | 50 +++++++++++++++++++++
 2 files changed, 54 insertions(+), 2 deletions(-)
 create mode 100644 ext/mbstring/tests/GHSA-74r9-qxhc-fx53.phpt

diff --git a/ext/mbstring/libmbfl/mbfl/mbfl_encoding.c b/ext/mbstring/libmbfl/mbfl/mbfl_encoding.c
index 6e44f68b8579..f1e25dc7537b 100644
--- a/ext/mbstring/libmbfl/mbfl/mbfl_encoding.c
+++ b/ext/mbstring/libmbfl/mbfl/mbfl_encoding.c
@@ -349,7 +349,8 @@ const mbfl_encoding *mbfl_name2encoding_ex(const char *name, size_t name_len)
 	/* search MIME charset name */
 	for (encoding = mbfl_encoding_ptr_list; *encoding; encoding++) {
 		if ((*encoding)->mime_name) {
-			if (strncasecmp((*encoding)->mime_name, name, name_len) == 0 && (*encoding)->mime_name[name_len] == '\0') {
+			size_t mime_len = strlen((*encoding)->mime_name);
+			if (mime_len == name_len && strncasecmp((*encoding)->mime_name, name, name_len) == 0) {
 				return *encoding;
 			}
 		}
@@ -359,7 +360,8 @@ const mbfl_encoding *mbfl_name2encoding_ex(const char *name, size_t name_len)
 	for (encoding = mbfl_encoding_ptr_list; *encoding; encoding++) {
 		if ((*encoding)->aliases) {
 			for (const char **alias = (*encoding)->aliases; *alias; alias++) {
-				if (strncasecmp(name, *alias, name_len) == 0 && (*alias)[name_len] == '\0') {
+				size_t alias_len = strlen(*alias);
+				if (alias_len == name_len && strncasecmp(name, *alias, name_len) == 0) {
 					return *encoding;
 				}
 			}
diff --git a/ext/mbstring/tests/GHSA-74r9-qxhc-fx53.phpt b/ext/mbstring/tests/GHSA-74r9-qxhc-fx53.phpt
new file mode 100644
index 000000000000..e58be7e50d8a
--- /dev/null
+++ b/ext/mbstring/tests/GHSA-74r9-qxhc-fx53.phpt
@@ -0,0 +1,50 @@
+--TEST--
+GHSA-74r9-qxhc-fx53: Out-of-bounds access in mbfl_name2encoding_ex()
+--CREDITS--
+Akshay Jain (AkshayJainG)
+--EXTENSIONS--
+mbstring
+--FILE--
+<?php
+
+$encoding = "UTF-8\x00AAAAAAAAAAAAAAAA";
+$alias = "binary\x00AAAAAAAAAAAAAAAA";
+$var = 'foo';
+
+function test($c) {
+    try {
+        $c();
+    } catch (Throwable $e) {
+        echo $e::class, ': ', $e->getMessage(), "\n";
+    }
+}
+
+ini_set('mbstring.detect_order', $encoding);
+ini_set('mbstring.detect_order', $alias);
+ini_set('mbstring.http_output', $encoding);
+ini_set('mbstring.http_output', $alias);
+
+test(fn () => mb_convert_encoding('foo', $encoding, $encoding));
+test(fn () => mb_convert_encoding('foo', $alias, $alias));
+test(fn () => mb_detect_encoding('foo', $encoding));
+test(fn () => mb_detect_encoding('foo', $alias));
+test(fn () => mb_convert_variables($encoding, $alias, $var));
+test(fn () => mb_detect_order($encoding));
+test(fn () => mb_detect_order($alias));
+
+?>
+--EXPECTF--
+Warning: ini_set(): INI setting contains invalid encoding "UTF-8" in %s on line %d
+
+Warning: ini_set(): INI setting contains invalid encoding "binary" in %s on line %d
+
+Deprecated: ini_set(): Use of mbstring.http_output is deprecated in %s on line %d
+
+Deprecated: ini_set(): Use of mbstring.http_output is deprecated in %s on line %d
+ValueError: mb_convert_encoding(): Argument #3 ($from_encoding) contains invalid encoding "UTF-8"
+ValueError: mb_convert_encoding(): Argument #3 ($from_encoding) contains invalid encoding "binary"
+ValueError: mb_detect_encoding(): Argument #2 ($encodings) contains invalid encoding "UTF-8"
+ValueError: mb_detect_encoding(): Argument #2 ($encodings) contains invalid encoding "binary"
+ValueError: mb_convert_variables(): Argument #2 ($from_encoding) contains invalid encoding "binary"
+ValueError: mb_detect_order(): Argument #1 ($encoding) contains invalid encoding "UTF-8"
+ValueError: mb_detect_order(): Argument #1 ($encoding) contains invalid encoding "binary"

From 72e3d8598de189085178108ca1a5e7e7d186a2bd Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Wed, 6 May 2026 13:19:57 +0200
Subject: [PATCH 13/16] Fix mbstring test with oniguruma deprecation

---
 Zend/tests/GHSA-wm6j-2649-pv75.phpt | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Zend/tests/GHSA-wm6j-2649-pv75.phpt b/Zend/tests/GHSA-wm6j-2649-pv75.phpt
index 7257af27cb87..c1035938bd7b 100644
--- a/Zend/tests/GHSA-wm6j-2649-pv75.phpt
+++ b/Zend/tests/GHSA-wm6j-2649-pv75.phpt
@@ -15,6 +15,8 @@ mb_regex_encoding('iso-8859-11');
 mb_ereg_search_init('x');
 ?>
 --EXPECTF--
+Deprecated: Function mb_regex_encoding() is deprecated since 8.6, because the underlying library is no longer maintained in %s on line %d
+
 Fatal error: Uncaught ValueError: mb_regex_encoding(): Argument #1 ($encoding) must be a valid encoding, "iso-8859-11" given in %s:%d
 Stack trace:
 #0 %s(%d): mb_regex_encoding('iso-8859-11')

From 887e6495c24c65c53d79931fdbc7a0c2681353dc Mon Sep 17 00:00:00 2001
From: Sergey Panteleev <sergey@php.net>
Date: Tue, 5 May 2026 16:52:42 +0300
Subject: [PATCH 14/16] [skip ci] Add NEWS entries for 8.2.31 security issues

---
 NEWS | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/NEWS b/NEWS
index c9b334b1645a..4262fbabcb65 100644
--- a/NEWS
+++ b/NEWS
@@ -5,9 +5,36 @@ PHP                                                                        NEWS
 - Curl:
   . Add support for brotli and zstd on Windows. (Shivam Mathur)
 
+- FPM:
+  . Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735)
+    (Jakub Zelenka)
+
+- MBString:
+  . Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in
+    php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259)
+    (vi3tL0u1s)
+
 - OpenSSL:
   . Fix compatibility issues with OpenSSL 4.0. (jordikroon, Remi)
 
+- PDO_Firebird:
+  . Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings).
+    (CVE-2025-14179) (SakiTakamachi)
+
+- SOAP:
+  . Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache
+    Map). (CVE-2026-6722) (ilutov)
+  . Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with
+    SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
+  . Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check).
+    (CVE-2026-7262) (ilutov)
+
+- Standard:
+  . Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset).
+    (CVE-2026-7568) (TimWolla)
+  . Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h
+    functions). (CVE-2026-7258) (ilutov)
+
 18 Dec 2025, PHP 8.2.30
 
 - Curl:

From e9e41af5331307c1ac4dab01e9b844b1732f55fc Mon Sep 17 00:00:00 2001
From: Sergey Panteleev <sergey@php.net>
Date: Wed, 6 May 2026 15:48:57 +0300
Subject: [PATCH 15/16] PHP-8.2 is now for PHP 8.2.32-dev

---
 NEWS               | 5 ++++-
 Zend/zend.h        | 2 +-
 configure.ac       | 2 +-
 main/php_version.h | 6 +++---
 4 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/NEWS b/NEWS
index 4262fbabcb65..975ee123ada6 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,9 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-?? ??? ????, PHP 8.2.31
+?? ??? ????, PHP 8.2.32
+
+
+07 May 2026, PHP 8.2.31
 
 - Curl:
   . Add support for brotli and zstd on Windows. (Shivam Mathur)
diff --git a/Zend/zend.h b/Zend/zend.h
index f43d20d59e47..b500c17a599f 100644
--- a/Zend/zend.h
+++ b/Zend/zend.h
@@ -20,7 +20,7 @@
 #ifndef ZEND_H
 #define ZEND_H
 
-#define ZEND_VERSION "4.2.31-dev"
+#define ZEND_VERSION "4.2.32-dev"
 
 #define ZEND_ENGINE_3
 
diff --git a/configure.ac b/configure.ac
index 1c8244701a68..70b0d6f604be 100644
--- a/configure.ac
+++ b/configure.ac
@@ -17,7 +17,7 @@ dnl Basic autoconf initialization, generation of config.nice.
 dnl ----------------------------------------------------------------------------
 
 AC_PREREQ([2.68])
-AC_INIT([PHP],[8.2.31-dev],[https://github.com/php/php-src/issues],[php],[https://www.php.net])
+AC_INIT([PHP],[8.2.32-dev],[https://github.com/php/php-src/issues],[php],[https://www.php.net])
 AC_CONFIG_SRCDIR([main/php_version.h])
 AC_CONFIG_AUX_DIR([build])
 AC_PRESERVE_HELP_ORDER
diff --git a/main/php_version.h b/main/php_version.h
index 5fa68abe4889..e431a4d08189 100644
--- a/main/php_version.h
+++ b/main/php_version.h
@@ -2,7 +2,7 @@
 /* edit configure.ac to change version number */
 #define PHP_MAJOR_VERSION 8
 #define PHP_MINOR_VERSION 2
-#define PHP_RELEASE_VERSION 31
+#define PHP_RELEASE_VERSION 32
 #define PHP_EXTRA_VERSION "-dev"
-#define PHP_VERSION "8.2.31-dev"
-#define PHP_VERSION_ID 80231
+#define PHP_VERSION "8.2.32-dev"
+#define PHP_VERSION_ID 80232

From fee84dd8c7699e4e7f9b2e864a393ee5a372f974 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Wed, 6 May 2026 16:33:44 +0200
Subject: [PATCH 16/16] [skip ci] Adjust credits for GHSA-96wq-48vp-hh57.phpt

As requested by the reporter.
---
 ext/standard/tests/GHSA-96wq-48vp-hh57.phpt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
index 79c6b6567339..cf9a40062f84 100644
--- a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
+++ b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
@@ -1,7 +1,7 @@
 --TEST--
 GHSA-96wq-48vp-hh57: signed integer overflow of char array offset
 --CREDITS--
-012git012
+Aleksey Solovev (Positive Technologies)
 --INI--
 memory_limit=3G
 --SKIPIF--