From 3b6d83aa9cee75f32aecdaa83bfd2534d2adddcf Mon Sep 17 00:00:00 2001
From: Marc Bennewitz <marc-mabe@users.noreply.github.com>
Date: Sun, 21 Sep 2025 13:25:24 +0200
Subject: [PATCH 1/2] ext/standard: set[raw]cookie: No format call needed for
 constant expires (#19900)

---
 ext/standard/head.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/ext/standard/head.c b/ext/standard/head.c
index 0b497fdc42aab..f94c7f596c2c5 100644
--- a/ext/standard/head.c
+++ b/ext/standard/head.c
@@ -131,13 +131,9 @@ PHPAPI zend_result php_setcookie(zend_string *name, zend_string *value, time_t e
 		 * so in order to force cookies to be deleted, even on MSIE, we
 		 * pick an expiry date in the past
 		 */
-		dt = php_format_date("D, d M Y H:i:s \\G\\M\\T", sizeof("D, d M Y H:i:s \\G\\M\\T")-1, 1, 0);
 		smart_str_appends(&buf, "Set-Cookie: ");
 		smart_str_append(&buf, name);
-		smart_str_appends(&buf, "=deleted; expires=");
-		smart_str_append(&buf, dt);
-		smart_str_appends(&buf, "; Max-Age=0");
-		zend_string_free(dt);
+		smart_str_appends(&buf, "=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0");
 	} else {
 		smart_str_appends(&buf, "Set-Cookie: ");
 		smart_str_append(&buf, name);

From 933e087843a29f8b1d5c2a62c3081ec04ada5933 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Fri, 19 Sep 2025 12:29:46 +0100
Subject: [PATCH 2/2] Fix GH-19885: dba_fetch() overflow on skip argument.

close GH-19887
---
 NEWS                       |  3 +++
 ext/dba/dba.c              |  5 +++++
 ext/dba/tests/gh19885.phpt | 35 +++++++++++++++++++++++++++++++++++
 3 files changed, 43 insertions(+)
 create mode 100644 ext/dba/tests/gh19885.phpt

diff --git a/NEWS b/NEWS
index ace911f500c44..fc3c0662b9328 100644
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,9 @@ PHP                                                                        NEWS
   . Fixed GH-17159: "P" format for ::createFromFormat swallows string literals.
     (nielsdos)
 
+- DBA:
+  . Fixed GH-19885 (dba_fetch() overflow on skip argument). (David Carlier)
+
 - Curl:
   . Fix cloning of CURLOPT_POSTFIELDS when using the clone operator instead
     of the curl_copy_handle() function to clone a CurlHandle. (timwolla)
diff --git a/ext/dba/dba.c b/ext/dba/dba.c
index 9affb5aa6fc19..1474573f3e4de 100644
--- a/ext/dba/dba.c
+++ b/ext/dba/dba.c
@@ -984,6 +984,11 @@ PHP_FUNCTION(dba_fetch)
 		ZEND_PARSE_PARAMETERS_END();
 	}
 
+	if (ZEND_LONG_EXCEEDS_INT(skip)) {
+		zend_argument_value_error(3, "must be between %d and %d", INT_MIN, INT_MAX);
+		RETURN_THROWS();
+	}
+
 	DBA_FETCH_RESOURCE(info, id);
 
 	if (key_ht) {
diff --git a/ext/dba/tests/gh19885.phpt b/ext/dba/tests/gh19885.phpt
new file mode 100644
index 0000000000000..987aea4f175a2
--- /dev/null
+++ b/ext/dba/tests/gh19885.phpt
@@ -0,0 +1,35 @@
+--TEST--
+GH-19885 (dba_fetch() segfault on large skip values)
+--EXTENSIONS--
+dba
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE != 8) die("skip this test is for 64bit platform only");
+$handler = 'cdb';
+require_once(__DIR__ .'/skipif.inc');
+?>
+--FILE--
+<?php
+$handler = 'cdb';
+$db_file = __DIR__.'/test.cdb';
+$db =dba_open($db_file, "r", $handler);
+try {
+	dba_fetch("1", $db, PHP_INT_MIN);
+} catch (\ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+
+try {
+	dba_fetch("1", $db, PHP_INT_MAX);
+} catch (\ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+// negative skip needs to remain acceptable albeit corrected down the line
+var_dump(dba_fetch("1", $db, -1000000));
+?>
+--EXPECTF--
+dba_fetch(): Argument #3 ($skip) must be between -%d and %d
+dba_fetch(): Argument #3 ($skip) must be between -%d and %d
+
+Notice: dba_fetch(): Handler cdb accepts only skip values greater than or equal to zero, using skip=0 in %s on line %d
+string(1) "1"