|
1 From |
|
2 http://git.php.net/?p=php-src.git;a=commitdiff;h=4828f7343b3f31d914f4d4a5545865b8a19f7fb6 |
|
3 Integer overflow in SndToJewish leads to php hang |
|
4 and |
|
5 http://git.php.net/?p=php-src.git;a=commitdiff;h=c50cef1dc54ffd1d0fb71d1afb8b2c3cb3c5b6ef |
|
6 Fixed bug #64895 Integer overflow in SndToJewish |
|
7 |
|
8 CVE-2013-2110 - use correct formula to calculate string size |
|
9 does NOT apply because no such function to patch. |
|
10 |
|
11 --- php-5.2.17/ext/calendar/jewish.c_orig 2003-03-22 17:44:58.000000000 -0800 |
|
12 +++ php-5.2.17/ext/calendar/jewish.c 2013-07-01 15:33:18.280118195 -0700 |
|
13 @@ -272,6 +272,7 @@ |
|
14 #define HALAKIM_PER_METONIC_CYCLE (HALAKIM_PER_LUNAR_CYCLE * (12 * 19 + 7)) |
|
15 |
|
16 #define JEWISH_SDN_OFFSET 347997 |
|
17 +#define JEWISH_SDN_MAX 324542846L /* 12/13/887605, greater value raises interger overflow */ |
|
18 #define NEW_MOON_OF_CREATION 31524 |
|
19 |
|
20 #define SUNDAY 0 |
|
21 @@ -519,7 +520,7 @@ |
|
22 int tishri1After; |
|
23 int yearLength; |
|
24 |
|
25 - if (sdn <= JEWISH_SDN_OFFSET) { |
|
26 + if (sdn <= JEWISH_SDN_OFFSET || sdn > JEWISH_SDN_MAX) { |
|
27 *pYear = 0; |
|
28 *pMonth = 0; |
|
29 *pDay = 0; |
|
30 |
|
31 |
|
32 --- php-5.2.17/ext/calendar/tests/jdtojewish64.phpt_orig 2013-07-01 15:41:34.918645609 -0700 |
|
33 +++ php-5.2.17/ext/calendar/tests/jdtojewish64.phpt 2013-07-01 15:37:34.054921308 -0700 |
|
34 @@ -0,0 +1,19 @@ |
|
35 +--TEST-- |
|
36 +Bug #64895: Integer overflow in SndToJewish |
|
37 +--SKIPIF-- |
|
38 +<?php |
|
39 +include 'skipif.inc'; |
|
40 +if (PHP_INT_SIZE == 4) { |
|
41 + die("skip this test is for 64bit platform only"); |
|
42 +} |
|
43 +?> |
|
44 +--FILE-- |
|
45 +<?php |
|
46 +$a = array(38245310, 324542846, 324542847, 9223372036854743639); |
|
47 + |
|
48 +foreach ($a as $x) var_dump(jdtojewish($x)); |
|
49 +--EXPECTF-- |
|
50 +string(11) "2/22/103759" |
|
51 +string(12) "12/13/887605" |
|
52 +string(5) "0/0/0" |
|
53 +string(5) "0/0/0" |
|
54 |