Bug #53574 [Csd->ReO]: Integer overflow in SdnToJulian

tyrael Mon, 26 Sep 2011 13:57:23 -0700

Edit report at https://bugs.php.net/bug.php?id=53574&edit=1


 ID:                 53574
 Updated by:         tyr...@php.net
 Reported by:        m dot kocielski at gmail dot com
 Summary:            Integer overflow in SdnToJulian
-Status:             Closed
+Status:             Re-Opened
 Type:               Bug
 Package:            Calendar related
 Operating System:   Linux
-PHP Version:        5.3.4
+PHP Version:        5.5.0-dev
 Assigned To:        cataphract
 Block user comment: N
 Private report:     N

 New Comment:

on 32bit with the current trunk:

tyrael@phpize32:~/checkouts/php-src/trunk$ ./sapi/cli/php -r 
'print_r(cal_from_jd(882858030, CAL_GREGORIAN));'
Segmentation fault

I will split the test(ext/calendar/tests/bug53574.log) into two separate test, 
one 
for 32bit, one for 64bit, as the EXPECT cannot test both case in one test 
easily.


Previous Comments:
------------------------------------------------------------------------
[2010-12-20 00:47:19] cataphr...@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.



------------------------------------------------------------------------
[2010-12-20 00:47:02] cataphr...@php.net

Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=306475
Log: - Fixed bug #53574 (Integer overflow in SdnToJulian, sometimes leading to
  segfault).

------------------------------------------------------------------------
[2010-12-19 15:08:51] m dot kocielski at gmail dot com

Description:
------------
*cut*
void SdnToJulian(
                                        long int sdn,
                                        int *pYear,
                                        int *pMonth,
                                        int *pDay)
{
        int year;
        int month;
        int day;
        long int temp;
        int dayOfYear;

        if (sdn <= 0) {
                *pYear = 0;
                *pMonth = 0;
                *pDay = 0;
                return;
        }

        temp = (sdn + JULIAN_SDN_OFFSET) * 4 - 1;
*cut*

temp could here be less then 0 due to integer overflow (when sdn is large 
enough).

Test script:
---------------
<?php
for(;;) {
    $x = rand(0, 2147483640);
    echo "$x\n";
    $dummy = cal_from_jd($x,0);
    $dummy = cal_from_jd($x,1);
}
?>


Expected result:
----------------
Sigsegv:

$ php core1.php 
758413092
1698116908
42935006
988939165
101976420
1332880082
882858043
Naruszenie ochrony pamiÄci (SIGSEGV)




------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=53574&edit=1

Bug #53574 [Csd->ReO]: Integer overflow in SdnToJulian

Reply via email to