PHP :: Bug #53574 :: Integer overflow in SdnToJulian
| Bug #53574 | Integer overflow in SdnToJulian | ||||
|---|---|---|---|---|---|
| Submitted: | 2010-12-19 15:08 UTC | Modified: | 2011-09-28 13:32 UTC | ||
| From: | m dot kocielski at gmail dot com | Assigned: | cataphract (profile) | ||
| Status: | Closed | Package: | Calendar related | ||
| PHP Version: | 5.5.0-dev | OS: | Linux | ||
| Private report: | No | CVE-ID: | None | ||
[2010-12-19 15:08 UTC] m dot kocielski at gmail dot com
Description:
------------
*cut*
void SdnToJulian(
long int sdn,
int *pYear,
int *pMonth,
int *pDay)
{
int year;
int month;
int day;
long int temp;
int dayOfYear;
if (sdn <= 0) {
*pYear = 0;
*pMonth = 0;
*pDay = 0;
return;
}
temp = (sdn + JULIAN_SDN_OFFSET) * 4 - 1;
*cut*
temp could here be less then 0 due to integer overflow (when sdn is large enough).
Test script:
---------------
<?php
for(;;) {
$x = rand(0, 2147483640);
echo "$x\n";
$dummy = cal_from_jd($x,0);
$dummy = cal_from_jd($x,1);
}
?>
Expected result:
----------------
Sigsegv:
$ php core1.php
758413092
1698116908
42935006
988939165
101976420
1332880082
882858043
Naruszenie ochrony pamięci (SIGSEGV)
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2010-12-20 00:47 UTC] cataphract@php.net
[2011-09-26 20:56 UTC] tyrael@php.net
-Status: Closed +Status: Re-Opened -PHP Version: 5.3.4 +PHP Version: 5.5.0-dev
[2011-09-26 20:56 UTC] tyrael@php.net
[2011-09-26 21:27 UTC] tyrael@php.net