Fix GH-19885: dba_fetch() overflow on skip argument.

devnexen · devnexen · commit 07643df57d6f · 2025-09-19T13:47:53.000+01:00
diff --git a/ext/dba/dba.c b/ext/dba/dba.c
@@ -984,6 +984,11 @@ PHP_FUNCTION(dba_fetch)
 		ZEND_PARSE_PARAMETERS_END();
 	}
 
+	if (ZEND_LONG_EXCEEDS_INT(skip)) {
+		zend_argument_value_error(3, "must be between %d and %d", INT_MIN, INT_MAX);
+		RETURN_THROWS();
+	}
+
 	DBA_FETCH_RESOURCE(info, id);
 
 	if (key_ht) {
diff --git a/ext/dba/tests/gh19885.phpt b/ext/dba/tests/gh19885.phpt
@@ -0,0 +1,33 @@
+--TEST--
+GH-19885 (dba_fetch() segfault on large skip values)
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE != 8) die("skip this test is for 64bit platform only");
+require_once(__DIR__ .'/skipif.inc');
+die("info $HND handler used");
+?>
+--FILE--
+<?php
+$handler = 'cdb';
+$db_file = __DIR__.'/test.cdb';
+$db =dba_open($db_file, "r", $handler);
+try {
+	dba_fetch("1", $db, PHP_INT_MIN);
+} catch (\ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+
+try {
+	dba_fetch("1", $db, PHP_INT_MAX);
+} catch (\ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+// negative skip needs to remain acceptable albeit corrected down the line
+var_dump(dba_fetch("1", $db, -1000000));
+?>
+--EXPECTF--
+dba_fetch(): Argument #3 ($skip) must be between %i and %d
+dba_fetch(): Argument #3 ($skip) must be between %i and %d
+
+Notice: dba_fetch(): Handler cdb accepts only skip values greater than or equal to zero, using skip=0 in %s on line %d
+string(1) "1"
