diff options
author | Remi Collet <remi@php.net> | 2013-05-21 18:04:17 +0200 |
---|---|---|
committer | Remi Collet <remi@php.net> | 2013-05-21 18:04:17 +0200 |
commit | 4828f7343b3f31d914f4d4a5545865b8a19f7fb6 (patch) | |
tree | b86c6ec1fa4766bc29a9eca21b6eb72c30219e19 /ext/calendar | |
parent | 46b05bc57aee7a24f87a31a079f9076f4870b780 (diff) | |
download | php-git-4828f7343b3f31d914f4d4a5545865b8a19f7fb6.tar.gz |
Integer overflow in SndToJewish leads to php hang
AT least in (inputDay is long, metonicCycle is int):
metonicCycle = (inputDay + 310) / 6940;
So large value give strange (negative) results or php hangs.
This is patch already applied in some linux distro.
Diffstat (limited to 'ext/calendar')
-rw-r--r-- | ext/calendar/jewish.c | 3 | ||||
-rw-r--r-- | ext/calendar/tests/jdtojewish64.phpt | 18 |
2 files changed, 20 insertions, 1 deletions
diff --git a/ext/calendar/jewish.c b/ext/calendar/jewish.c index f4dc7c35ae..1e7a06c8a6 100644 --- a/ext/calendar/jewish.c +++ b/ext/calendar/jewish.c @@ -272,6 +272,7 @@ #define HALAKIM_PER_METONIC_CYCLE (HALAKIM_PER_LUNAR_CYCLE * (12 * 19 + 7)) #define JEWISH_SDN_OFFSET 347997 +#define JEWISH_SDN_MAX 38245310 /* year 103759, 100000 A.D. */ #define NEW_MOON_OF_CREATION 31524 #define SUNDAY 0 @@ -519,7 +520,7 @@ void SdnToJewish( int tishri1After; int yearLength; - if (sdn <= JEWISH_SDN_OFFSET) { + if (sdn <= JEWISH_SDN_OFFSET || sdn > JEWISH_SDN_MAX) { *pYear = 0; *pMonth = 0; *pDay = 0; diff --git a/ext/calendar/tests/jdtojewish64.phpt b/ext/calendar/tests/jdtojewish64.phpt new file mode 100644 index 0000000000..50f7f33c7b --- /dev/null +++ b/ext/calendar/tests/jdtojewish64.phpt @@ -0,0 +1,18 @@ +--TEST-- +Integer overflow in SndToJewish leads to php hang +--SKIPIF-- +<?php +include 'skipif.inc'; +if (PHP_INT_SIZE == 4) { + die("skip this test is for 64bit platform only"); +} +?> +--FILE-- +<?php +$a = array(38245310, 38245311, 9223372036854743639); + +foreach ($a as $x) var_dump(jdtojewish($x)); +--EXPECTF-- +string(11) "2/22/103759" +string(5) "0/0/0" +string(5) "0/0/0" |