Fix GH-16189: underflow on preg_match/preg_match_all start_offset.

close GH-16191

NEWS

@@ -37,6 +37,9 @@ PHP                                                                        NEWS
 - OpenSSL:
   . Fixed stub for openssl_csr_new. (Jakub Zelenka)
 
+- PCRE:
+  . Fixed GH-16189 (underflow on offset argument). (David Carlier)
+
 - PHPDBG:
   . Fixed bug GH-15901 (phpdbg: Assertion failure on i funcs). (cmb)
   . Fixed bug GH-16181 (phpdbg: exit in exception handler reports fatal error).

ext/pcre/php_pcre.c

@@ -1135,6 +1135,11 @@ static void php_do_pcre_match(INTERNAL_FUNCTION_PARAMETERS, int global) /* {{{ *
 		RETURN_FALSE;
 	}
 
+	if (start_offset == ZEND_LONG_MIN) {
+		zend_argument_value_error(5, "must be greater than " ZEND_LONG_FMT, ZEND_LONG_MIN);
+		RETURN_THROWS();
+	}
+
 	pce->refcount++;
 	php_pcre_match_impl(pce, subject, return_value, subpats,
 		global, ZEND_NUM_ARGS() >= 4, flags, start_offset);

ext/pcre/tests/gh16189.phpt

@@ -0,0 +1,19 @@
+--TEST--
+GH-16189 (preg_match/preg_match_all underflow on start_offset argument)
+--FILE--
+<?php
+
+try {
+	preg_match( '/<(\w+)[\s\w\-]+ id="S44_i89ew">/', '<br><div id="S44_i89ew">', $matches, 0, PHP_INT_MIN);
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+try {
+	preg_match_all( '/<(\w+)[\s\w\-]+ id="S44_i89ew">/', '<br><div id="S44_i89ew">', $matches, 0, PHP_INT_MIN);
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+?>
+--EXPECTF--
+preg_match(): Argument #5 ($offset) must be greater than %s
+preg_match_all(): Argument #5 ($offset) must be greater than %s