From 30d81f9ef0a84462025ce949cddb7bc76290b5b9 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Fri, 19 Sep 2025 12:29:46 +0100
Subject: [PATCH] Fix GH-19885: dba_fetch() overflow on skip argument.

close GH-19887
---
 ext/dba/dba.c              |  5 +++++
 ext/dba/tests/gh19885.phpt | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 ext/dba/tests/gh19885.phpt

diff --git a/ext/dba/dba.c b/ext/dba/dba.c
index 9affb5aa6fc19..1474573f3e4de 100644
--- a/ext/dba/dba.c
+++ b/ext/dba/dba.c
@@ -984,6 +984,11 @@ PHP_FUNCTION(dba_fetch)
 		ZEND_PARSE_PARAMETERS_END();
 	}
 
+	if (ZEND_LONG_EXCEEDS_INT(skip)) {
+		zend_argument_value_error(3, "must be between %d and %d", INT_MIN, INT_MAX);
+		RETURN_THROWS();
+	}
+
 	DBA_FETCH_RESOURCE(info, id);
 
 	if (key_ht) {
diff --git a/ext/dba/tests/gh19885.phpt b/ext/dba/tests/gh19885.phpt
new file mode 100644
index 0000000000000..987aea4f175a2
--- /dev/null
+++ b/ext/dba/tests/gh19885.phpt
@@ -0,0 +1,35 @@
+--TEST--
+GH-19885 (dba_fetch() segfault on large skip values)
+--EXTENSIONS--
+dba
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE != 8) die("skip this test is for 64bit platform only");
+$handler = 'cdb';
+require_once(__DIR__ .'/skipif.inc');
+?>
+--FILE--
+<?php
+$handler = 'cdb';
+$db_file = __DIR__.'/test.cdb';
+$db =dba_open($db_file, "r", $handler);
+try {
+	dba_fetch("1", $db, PHP_INT_MIN);
+} catch (\ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+
+try {
+	dba_fetch("1", $db, PHP_INT_MAX);
+} catch (\ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+// negative skip needs to remain acceptable albeit corrected down the line
+var_dump(dba_fetch("1", $db, -1000000));
+?>
+--EXPECTF--
+dba_fetch(): Argument #3 ($skip) must be between -%d and %d
+dba_fetch(): Argument #3 ($skip) must be between -%d and %d
+
+Notice: dba_fetch(): Handler cdb accepts only skip values greater than or equal to zero, using skip=0 in %s on line %d
+string(1) "1"