239
|
1 |
From
|
|
2 |
http://git.php.net/?p=php-src.git;a=commitdiff;h=4828f7343b3f31d914f4d4a5545865b8a19f7fb6
|
|
3 |
Integer overflow in SndToJewish leads to php hang
|
|
4 |
and
|
|
5 |
http://git.php.net/?p=php-src.git;a=commitdiff;h=c50cef1dc54ffd1d0fb71d1afb8b2c3cb3c5b6ef
|
|
6 |
Fixed bug #64895 Integer overflow in SndToJewish
|
|
7 |
|
|
8 |
CVE-2013-2110 - use correct formula to calculate string size
|
|
9 |
does NOT apply because no such function to patch.
|
|
10 |
|
|
11 |
--- php-5.2.17/ext/calendar/jewish.c_orig 2003-03-22 17:44:58.000000000 -0800
|
|
12 |
+++ php-5.2.17/ext/calendar/jewish.c 2013-07-01 15:33:18.280118195 -0700
|
|
13 |
@@ -272,6 +272,7 @@
|
|
14 |
#define HALAKIM_PER_METONIC_CYCLE (HALAKIM_PER_LUNAR_CYCLE * (12 * 19 + 7))
|
|
15 |
|
|
16 |
#define JEWISH_SDN_OFFSET 347997
|
|
17 |
+#define JEWISH_SDN_MAX 324542846L /* 12/13/887605, greater value raises interger overflow */
|
|
18 |
#define NEW_MOON_OF_CREATION 31524
|
|
19 |
|
|
20 |
#define SUNDAY 0
|
|
21 |
@@ -519,7 +520,7 @@
|
|
22 |
int tishri1After;
|
|
23 |
int yearLength;
|
|
24 |
|
|
25 |
- if (sdn <= JEWISH_SDN_OFFSET) {
|
|
26 |
+ if (sdn <= JEWISH_SDN_OFFSET || sdn > JEWISH_SDN_MAX) {
|
|
27 |
*pYear = 0;
|
|
28 |
*pMonth = 0;
|
|
29 |
*pDay = 0;
|
|
30 |
|
|
31 |
|
|
32 |
--- php-5.2.17/ext/calendar/tests/jdtojewish64.phpt_orig 2013-07-01 15:41:34.918645609 -0700
|
|
33 |
+++ php-5.2.17/ext/calendar/tests/jdtojewish64.phpt 2013-07-01 15:37:34.054921308 -0700
|
|
34 |
@@ -0,0 +1,19 @@
|
|
35 |
+--TEST--
|
|
36 |
+Bug #64895: Integer overflow in SndToJewish
|
|
37 |
+--SKIPIF--
|
|
38 |
+<?php
|
|
39 |
+include 'skipif.inc';
|
|
40 |
+if (PHP_INT_SIZE == 4) {
|
|
41 |
+ die("skip this test is for 64bit platform only");
|
|
42 |
+}
|
|
43 |
+?>
|
|
44 |
+--FILE--
|
|
45 |
+<?php
|
|
46 |
+$a = array(38245310, 324542846, 324542847, 9223372036854743639);
|
|
47 |
+
|
|
48 |
+foreach ($a as $x) var_dump(jdtojewish($x));
|
|
49 |
+--EXPECTF--
|
|
50 |
+string(11) "2/22/103759"
|
|
51 |
+string(12) "12/13/887605"
|
|
52 |
+string(5) "0/0/0"
|
|
53 |
+string(5) "0/0/0"
|
|
54 |
|