php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53574 Integer overflow in SdnToJulian
Submitted: 2010-12-19 15:08 UTC Modified: 2011-09-28 13:32 UTC
From: m dot kocielski at gmail dot com Assigned: cataphract
Status: Closed Package: Calendar related
PHP Version: 5.5.0-dev OS: Linux
Private report: No CVE-ID:
 [2010-12-19 15:08 UTC] m dot kocielski at gmail dot com
Description:
------------
*cut*
void SdnToJulian(
					long int sdn,
					int *pYear,
					int *pMonth,
					int *pDay)
{
	int year;
	int month;
	int day;
	long int temp;
	int dayOfYear;

	if (sdn <= 0) {
		*pYear = 0;
		*pMonth = 0;
		*pDay = 0;
		return;
	}

	temp = (sdn + JULIAN_SDN_OFFSET) * 4 - 1;
*cut*

temp could here be less then 0 due to integer overflow (when sdn is large enough).

Test script:
---------------
<?php
for(;;) {
    $x = rand(0, 2147483640);
    echo "$x\n";
    $dummy = cal_from_jd($x,0);
    $dummy = cal_from_jd($x,1);
}
?>


Expected result:
----------------
Sigsegv:

$ php core1.php 
758413092
1698116908
42935006
988939165
101976420
1332880082
882858043
Naruszenie ochrony pamięci (SIGSEGV)



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-19 18:53 UTC] cataphract@php.net
-Assigned To: +Assigned To: cataphract
 [2010-12-20 00:47 UTC] cataphract@php.net
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=306475
Log: - Fixed bug #53574 (Integer overflow in SdnToJulian, sometimes leading to
  segfault).
 [2010-12-20 00:47 UTC] cataphract@php.net
-Status: Assigned +Status: Closed
 [2010-12-20 00:47 UTC] cataphract@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2011-09-26 20:56 UTC] tyrael@php.net
-Status: Closed +Status: Re-Opened -PHP Version: 5.3.4 +PHP Version: 5.5.0-dev
 [2011-09-26 20:56 UTC] tyrael@php.net
on 32bit with the current trunk:

tyrael@phpize32:~/checkouts/php-src/trunk$ ./sapi/cli/php -r 
'print_r(cal_from_jd(882858030, CAL_GREGORIAN));'
Segmentation fault

I will split the test(ext/calendar/tests/bug53574.log) into two separate test, one 
for 32bit, one for 64bit, as the EXPECT cannot test both case in one test easily.
 [2011-09-26 21:27 UTC] tyrael@php.net
on 64bit:

tyrael@phpize:~/checkouts/php-src/trunk$ ./sapi/cli/php -r 
'print_r(cal_from_jd(9223372036854743639, CAL_GREGORIAN));'
Segmentation fault
 [2011-09-26 22:38 UTC] cataphract@php.net
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=317360
Log: - Fixed bug in SdnToGregorian (see comments on #53574, though that bug is about
  another function). NEWS &amp; tests tomorrow.
 [2011-09-27 00:53 UTC] tyrael@php.net
Automatic comment from SVN on behalf of tyrael
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=317366
Log: split the ext/calendar/tests/bug53574.phpt into two test, as we expect different result on 32 and 64 bit
 [2011-09-28 13:32 UTC] cataphract@php.net
-Status: Re-Opened +Status: Closed
 [2011-09-28 13:32 UTC] cataphract@php.net
Closing, see bug #55797.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 18:01:53 2014 UTC