Integer overflow in SndToJewish leads to php hang

AT least in (inputDay is long, metonicCycle is int): metonicCycle = (inputDay + 310) / 6940; So large value give strange (negative) results or php hangs. This is patch already applied in some linux distro.
jrbasso · May 21, 2013 · 4828f73 · 4828f73
1 parent 46b05bc
commit 4828f73
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/ext/calendar/jewish.c b/ext/calendar/jewish.c
@@ -272,6 +272,7 @@
 #define HALAKIM_PER_METONIC_CYCLE (HALAKIM_PER_LUNAR_CYCLE * (12 * 19 + 7))
 
 #define JEWISH_SDN_OFFSET 347997
+#define JEWISH_SDN_MAX 38245310 /* year 103759, 100000 A.D. */
 #define NEW_MOON_OF_CREATION 31524
 
 #define SUNDAY    0
@@ -519,7 +520,7 @@ void SdnToJewish(
 	int tishri1After;
 	int yearLength;
 
-	if (sdn <= JEWISH_SDN_OFFSET) {
+	if (sdn <= JEWISH_SDN_OFFSET || sdn > JEWISH_SDN_MAX) {
 		*pYear = 0;
 		*pMonth = 0;
 		*pDay = 0;

diff --git a/ext/calendar/tests/jdtojewish64.phpt b/ext/calendar/tests/jdtojewish64.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Integer overflow in SndToJewish leads to php hang 
+--SKIPIF--
+<?php 
+include 'skipif.inc';
+if (PHP_INT_SIZE == 4) {
+        die("skip this test is for 64bit platform only");
+}
+?>
+--FILE--
+<?php
+$a = array(38245310, 38245311, 9223372036854743639);
+
+foreach ($a as $x) var_dump(jdtojewish($x));
+--EXPECTF--
+string(11) "2/22/103759"
+string(5) "0/0/0"
+string(5) "0/0/0"