Fix phpGH-19885: dba_fetch() overflow on skip argument.

devnexen · devnexen · commit 933e087843a2 · 2025-09-21T14:23:53.000+01:00
close phpGH-19887
diff --git a/NEWS b/NEWS
@@ -19,6 +19,9 @@ PHP                                                                        NEWS
   . Fixed GH-17159: "P" format for ::createFromFormat swallows string literals.
     (nielsdos)
 
+- DBA:
+  . Fixed GH-19885 (dba_fetch() overflow on skip argument). (David Carlier)
+
 - Curl:
   . Fix cloning of CURLOPT_POSTFIELDS when using the clone operator instead
     of the curl_copy_handle() function to clone a CurlHandle. (timwolla)
diff --git a/ext/dba/dba.c b/ext/dba/dba.c
@@ -984,6 +984,11 @@ PHP_FUNCTION(dba_fetch)
 		ZEND_PARSE_PARAMETERS_END();
 	}
 
+	if (ZEND_LONG_EXCEEDS_INT(skip)) {
+		zend_argument_value_error(3, "must be between %d and %d", INT_MIN, INT_MAX);
+		RETURN_THROWS();
+	}
+
 	DBA_FETCH_RESOURCE(info, id);
 
 	if (key_ht) {
diff --git a/ext/dba/tests/gh19885.phpt b/ext/dba/tests/gh19885.phpt
@@ -0,0 +1,35 @@
+--TEST--
+GH-19885 (dba_fetch() segfault on large skip values)
+--EXTENSIONS--
+dba
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE != 8) die("skip this test is for 64bit platform only");
+$handler = 'cdb';
+require_once(__DIR__ .'/skipif.inc');
+?>
+--FILE--
+<?php
+$handler = 'cdb';
+$db_file = __DIR__.'/test.cdb';
+$db =dba_open($db_file, "r", $handler);
+try {
+	dba_fetch("1", $db, PHP_INT_MIN);
+} catch (\ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+
+try {
+	dba_fetch("1", $db, PHP_INT_MAX);
+} catch (\ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+// negative skip needs to remain acceptable albeit corrected down the line
+var_dump(dba_fetch("1", $db, -1000000));
+?>
+--EXPECTF--
+dba_fetch(): Argument #3 ($skip) must be between -%d and %d
+dba_fetch(): Argument #3 ($skip) must be between -%d and %d
+
+Notice: dba_fetch(): Handler cdb accepts only skip values greater than or equal to zero, using skip=0 in %s on line %d
+string(1) "1"
