|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53574 Integer overflow in SdnToJulian
Submitted: 2010-12-19 15:08 UTC Modified: 2011-09-28 13:32 UTC
From: m dot kocielski at gmail dot com Assigned: cataphract
Status: Closed Package: Calendar related
PHP Version: 5.5.0-dev OS: Linux
Private report: No CVE-ID:
 [2010-12-19 15:08 UTC] m dot kocielski at gmail dot com
void SdnToJulian(
					long int sdn,
					int *pYear,
					int *pMonth,
					int *pDay)
	int year;
	int month;
	int day;
	long int temp;
	int dayOfYear;

	if (sdn <= 0) {
		*pYear = 0;
		*pMonth = 0;
		*pDay = 0;

	temp = (sdn + JULIAN_SDN_OFFSET) * 4 - 1;

temp could here be less then 0 due to integer overflow (when sdn is large enough).

Test script:
for(;;) {
    $x = rand(0, 2147483640);
    echo "$x\n";
    $dummy = cal_from_jd($x,0);
    $dummy = cal_from_jd($x,1);

Expected result:

$ php core1.php 
Naruszenie ochrony pamięci (SIGSEGV)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-19 18:53 UTC]
-Assigned To: +Assigned To: cataphract
 [2010-12-20 00:47 UTC]
Automatic comment from SVN on behalf of cataphract
Log: - Fixed bug #53574 (Integer overflow in SdnToJulian, sometimes leading to
 [2010-12-20 00:47 UTC]
-Status: Assigned +Status: Closed
 [2010-12-20 00:47 UTC]
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

 [2011-09-26 20:56 UTC]
-Status: Closed +Status: Re-Opened -PHP Version: 5.3.4 +PHP Version: 5.5.0-dev
 [2011-09-26 20:56 UTC]
on 32bit with the current trunk:

tyrael@phpize32:~/checkouts/php-src/trunk$ ./sapi/cli/php -r 
'print_r(cal_from_jd(882858030, CAL_GREGORIAN));'
Segmentation fault

I will split the test(ext/calendar/tests/bug53574.log) into two separate test, one 
for 32bit, one for 64bit, as the EXPECT cannot test both case in one test easily.
 [2011-09-26 21:27 UTC]
on 64bit:

tyrael@phpize:~/checkouts/php-src/trunk$ ./sapi/cli/php -r 
'print_r(cal_from_jd(9223372036854743639, CAL_GREGORIAN));'
Segmentation fault
 [2011-09-26 22:38 UTC]
Automatic comment from SVN on behalf of cataphract
Log: - Fixed bug in SdnToGregorian (see comments on #53574, though that bug is about
  another function). NEWS &amp; tests tomorrow.
 [2011-09-27 00:53 UTC]
Automatic comment from SVN on behalf of tyrael
Log: split the ext/calendar/tests/bug53574.phpt into two test, as we expect different result on 32 and 64 bit
 [2011-09-28 13:32 UTC]
-Status: Re-Opened +Status: Closed
 [2011-09-28 13:32 UTC]
Closing, see bug #55797.
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Wed Nov 25 06:02:11 2015 UTC