From: Gustavo André dos Santos Lopes <cataphract@php.net>
Date: Sun, 19 Dec 2010 23:47:00 +0000 (+0000)
Subject: - Fixed bug #53574 (Integer overflow in SdnToJulian, sometimes leading to
X-Git-Tag: php-5.3.6RC1~199
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f13d9c0e033eb346c773d2f04c2d643dd7df8571;p=php

- Fixed bug #53574 (Integer overflow in SdnToJulian, sometimes leading to
  segfault).
---

diff --git a/NEWS b/NEWS
index 65d8c3b180..aa55786525 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,10 @@
     (Ilia)
   . Fixed bug #48607 (fwrite() doesn't check reply from ftp server before
     exiting). (Ilia)
+
+- Calendar extension:
+  . Fixed bug #53574 (Integer overflow in SdnToJulian, sometimes leading to
+    segfault). (Gustavo)
   
 - DateTime extension:
   . Fixed a bug in DateTime->modify() where absolute date/time statements had
diff --git a/ext/calendar/julian.c b/ext/calendar/julian.c
index 39bcbc7e65..17e7bcb597 100644
--- a/ext/calendar/julian.c
+++ b/ext/calendar/julian.c
@@ -146,6 +146,7 @@
  **************************************************************************/
 
 #include "sdncal.h"
+#include <limits.h>
 
 #define JULIAN_SDN_OFFSET         32083
 #define DAYS_PER_5_MONTHS  153
@@ -164,15 +165,22 @@ void SdnToJulian(
 	int dayOfYear;
 
 	if (sdn <= 0) {
-		*pYear = 0;
-		*pMonth = 0;
-		*pDay = 0;
-		return;
+		goto fail;
 	}
-	temp = (sdn + JULIAN_SDN_OFFSET) * 4 - 1;
+	/* Check for overflow */
+	if (sdn > (LONG_MAX - JULIAN_SDN_OFFSET * 4 + 1) / 4 || sdn < LONG_MIN / 4) {
+		goto fail;
+	}
+	temp = sdn * 4 + (JULIAN_SDN_OFFSET * 4 - 1);
 
 	/* Calculate the year and day of year (1 <= dayOfYear <= 366). */
-	year = temp / DAYS_PER_4_YEARS;
+	{
+		long yearl = temp / DAYS_PER_4_YEARS;
+		if (yearl > INT_MAX || yearl < INT_MIN) {
+			goto fail;
+		}
+		year = (int) yearl;
+	}
 	dayOfYear = (temp % DAYS_PER_4_YEARS) / 4 + 1;
 
 	/* Calculate the month and day of month. */
@@ -196,6 +204,12 @@ void SdnToJulian(
 	*pYear = year;
 	*pMonth = month;
 	*pDay = day;
+	return;
+
+fail:
+	*pYear = 0;
+	*pMonth = 0;
+	*pDay = 0;
 }
 
 long int JulianToSdn(
diff --git a/ext/calendar/tests/bug53574.phpt b/ext/calendar/tests/bug53574.phpt
new file mode 100644
index 0000000000..e426991354
--- /dev/null
+++ b/ext/calendar/tests/bug53574.phpt
@@ -0,0 +1,35 @@
+--TEST--
+Bug #53574 (Integer overflow in SdnToJulian; leads to segfault)
+--SKIPIF--
+<?php include 'skipif.inc'; ?>
+--FILE--
+<?php
+if (PHP_INT_MAX == 0x7FFFFFFF) {
+	$x = 882858043;
+} else {
+	$x = 3315881921229094912;
+}
+
+var_dump(cal_from_jd($x, CAL_JULIAN));
+--EXPECT--
+array(9) {
+  ["date"]=>
+  string(5) "0/0/0"
+  ["month"]=>
+  int(0)
+  ["day"]=>
+  int(0)
+  ["year"]=>
+  int(0)
+  ["dow"]=>
+  int(3)
+  ["abbrevdayname"]=>
+  string(3) "Wed"
+  ["dayname"]=>
+  string(9) "Wednesday"
+  ["abbrevmonth"]=>
+  string(0) ""
+  ["monthname"]=>
+  string(0) ""
+}
+