PHP :: Bug #53574 :: Integer overflow in SdnToJulian

Bug #53574	Integer overflow in SdnToJulian
Submitted:	2010-12-19 15:08 UTC	Modified:	2011-09-28 13:32 UTC
From:	m dot kocielski at gmail dot com	Assigned:	cataphract (profile)
Status:	Closed	Package:	Calendar related
PHP Version:	5.5.0-dev	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	m dot kocielski at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2010-12-19 15:08 UTC] m dot kocielski at gmail dot com

Description:
------------
*cut*
void SdnToJulian(
					long int sdn,
					int *pYear,
					int *pMonth,
					int *pDay)
{
	int year;
	int month;
	int day;
	long int temp;
	int dayOfYear;

	if (sdn <= 0) {
		*pYear = 0;
		*pMonth = 0;
		*pDay = 0;
		return;
	}

	temp = (sdn + JULIAN_SDN_OFFSET) * 4 - 1;
*cut*

temp could here be less then 0 due to integer overflow (when sdn is large enough).

Test script:
---------------
<?php
for(;;) {
    $x = rand(0, 2147483640);
    echo "$x\n";
    $dummy = cal_from_jd($x,0);
    $dummy = cal_from_jd($x,1);
}
?>


Expected result:
----------------
Sigsegv:

$ php core1.php 
758413092
1698116908
42935006
988939165
101976420
1332880082
882858043
Naruszenie ochrony pamięci (SIGSEGV)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-12-19 18:53 UTC] cataphract@php.net

-Assigned To: +Assigned To: cataphract

[2010-12-20 00:47 UTC] cataphract@php.net

Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=306475
Log: - Fixed bug #53574 (Integer overflow in SdnToJulian, sometimes leading to
  segfault).

[2010-12-20 00:47 UTC] cataphract@php.net

-Status: Assigned +Status: Closed

[2010-12-20 00:47 UTC] cataphract@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2011-09-26 20:56 UTC] tyrael@php.net

-Status: Closed +Status: Re-Opened -PHP Version: 5.3.4 +PHP Version: 5.5.0-dev

[2011-09-26 20:56 UTC] tyrael@php.net

on 32bit with the current trunk:

tyrael@phpize32:~/checkouts/php-src/trunk$ ./sapi/cli/php -r 
'print_r(cal_from_jd(882858030, CAL_GREGORIAN));'
Segmentation fault

I will split the test(ext/calendar/tests/bug53574.log) into two separate test, one 
for 32bit, one for 64bit, as the EXPECT cannot test both case in one test easily.

[2011-09-26 21:27 UTC] tyrael@php.net

on 64bit:

tyrael@phpize:~/checkouts/php-src/trunk$ ./sapi/cli/php -r 
'print_r(cal_from_jd(9223372036854743639, CAL_GREGORIAN));'
Segmentation fault

[2011-09-26 22:38 UTC] cataphract@php.net

Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=317360
Log: - Fixed bug in SdnToGregorian (see comments on #53574, though that bug is about
  another function). NEWS &amp; tests tomorrow.

[2011-09-27 00:53 UTC] tyrael@php.net

Automatic comment from SVN on behalf of tyrael
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=317366
Log: split the ext/calendar/tests/bug53574.phpt into two test, as we expect different result on 32 and 64 bit

[2011-09-28 13:32 UTC] cataphract@php.net

-Status: Re-Opened +Status: Closed

[2011-09-28 13:32 UTC] cataphract@php.net

Closing, see bug #55797.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC