PHP :: Bug #53574 :: Integer overflow in SdnToJulian

Bug #53574 Integer overflow in SdnToJulian
Submitted: 2010-12-19 15:08 UTC Modified: 2011-09-28 13:32 UTC
From: m dot kocielski at gmail dot com Assigned: cataphract (profile)
Status: Closed Package: Calendar related
PHP Version: 5.5.0-dev OS: Linux
Private report: No CVE-ID: None

 [2010-12-19 15:08 UTC] m dot kocielski at gmail dot com

Description:
------------
*cut*
void SdnToJulian(
					long int sdn,
					int *pYear,
					int *pMonth,
					int *pDay)
{
	int year;
	int month;
	int day;
	long int temp;
	int dayOfYear;

	if (sdn <= 0) {
		*pYear = 0;
		*pMonth = 0;
		*pDay = 0;
		return;
	}

	temp = (sdn + JULIAN_SDN_OFFSET) * 4 - 1;
*cut*

temp could here be less then 0 due to integer overflow (when sdn is large enough).

Test script:
---------------
<?php
for(;;) {
    $x = rand(0, 2147483640);
    echo "$x\n";
    $dummy = cal_from_jd($x,0);
    $dummy = cal_from_jd($x,1);
}
?>


Expected result:
----------------
Sigsegv:

$ php core1.php 
758413092
1698116908
42935006
988939165
101976420
1332880082
882858043
Naruszenie ochrony pamięci (SIGSEGV)



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2010-12-20 00:47 UTC] cataphract@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2011-09-26 20:56 UTC] tyrael@php.net

-Status: Closed +Status: Re-Opened -PHP Version: 5.3.4 +PHP Version: 5.5.0-dev

 [2011-09-26 20:56 UTC] tyrael@php.net

on 32bit with the current trunk:

tyrael@phpize32:~/checkouts/php-src/trunk$ ./sapi/cli/php -r 
'print_r(cal_from_jd(882858030, CAL_GREGORIAN));'
Segmentation fault

I will split the test(ext/calendar/tests/bug53574.log) into two separate test, one 
for 32bit, one for 64bit, as the EXPECT cannot test both case in one test easily.

 [2011-09-26 21:27 UTC] tyrael@php.net

on 64bit:

tyrael@phpize:~/checkouts/php-src/trunk$ ./sapi/cli/php -r 
'print_r(cal_from_jd(9223372036854743639, CAL_GREGORIAN));'
Segmentation fault