
https://bugzilla.redhat.com/show_bug.cgi?id=689386

http://svn.php.net/viewvc/?view=revision&amp;revision=306475

plus:
http://svn.php.net/viewvc?view=revision&revision=317360 
http://svn.php.net/viewvc?view=revision&revision=317387 
http://svn.php.net/viewvc?view=revision&revision=317393 

plus similar fix for jewish.c

--- php-5.3.3/ext/calendar/gregor.c.cve1466
+++ php-5.3.3/ext/calendar/gregor.c
@@ -127,6 +127,7 @@
  **************************************************************************/
 
 #include "sdncal.h"
+#include <limits.h>
 
 #define GREGOR_SDN_OFFSET         32045
 #define DAYS_PER_5_MONTHS  153
@@ -146,21 +147,12 @@ void SdnToGregorian(
 	long int temp;
 	int dayOfYear;
 
-	if (sdn <= 0) {
-		*pYear = 0;
-		*pMonth = 0;
-		*pDay = 0;
-		return;
+	if (sdn <= 0 ||
+			sdn > (LONG_MAX - 4 * GREGOR_SDN_OFFSET) / 4) {
+		goto fail;
 	}
 	temp = (sdn + GREGOR_SDN_OFFSET) * 4 - 1;
 
-	if (temp < 0) {
-		*pYear = 0;
-		*pMonth = 0;
-		*pDay = 0;
-		return;
-	}
-
 	/* Calculate the century (year/100). */
 	century = temp / DAYS_PER_400_YEARS;
 
@@ -190,6 +182,12 @@ void SdnToGregorian(
 	*pYear = year;
 	*pMonth = month;
 	*pDay = day;
+	return;
+
+fail:
+	*pYear = 0;
+	*pMonth = 0;
+	*pDay = 0;
 }
 
 long int GregorianToSdn(
--- php-5.3.3/ext/calendar/jewish.c.cve1466
+++ php-5.3.3/ext/calendar/jewish.c
@@ -272,6 +272,7 @@
 #define HALAKIM_PER_METONIC_CYCLE (HALAKIM_PER_LUNAR_CYCLE * (12 * 19 + 7))
 
 #define JEWISH_SDN_OFFSET 347997
+#define JEWISH_SDN_MAX 38245310 /* year 103759, 100000 A.D. */
 #define NEW_MOON_OF_CREATION 31524
 
 #define SUNDAY    0
@@ -519,7 +520,7 @@ void SdnToJewish(
 	int tishri1After;
 	int yearLength;
 
-	if (sdn <= JEWISH_SDN_OFFSET) {
+	if (sdn <= JEWISH_SDN_OFFSET || sdn > JEWISH_SDN_MAX) {
 		*pYear = 0;
 		*pMonth = 0;
 		*pDay = 0;
--- php-5.3.3/ext/calendar/julian.c.cve1466
+++ php-5.3.3/ext/calendar/julian.c
@@ -146,6 +146,7 @@
  **************************************************************************/
 
 #include "sdncal.h"
+#include <limits.h>
 
 #define JULIAN_SDN_OFFSET         32083
 #define DAYS_PER_5_MONTHS  153
@@ -164,15 +165,22 @@ void SdnToJulian(
 	int dayOfYear;
 
 	if (sdn <= 0) {
-		*pYear = 0;
-		*pMonth = 0;
-		*pDay = 0;
-		return;
+		goto fail;
 	}
-	temp = (sdn + JULIAN_SDN_OFFSET) * 4 - 1;
+	/* Check for overflow */
+	if (sdn > (LONG_MAX - JULIAN_SDN_OFFSET * 4 + 1) / 4 || sdn < LONG_MIN / 4) {
+		goto fail;
+	}
+	temp = sdn * 4 + (JULIAN_SDN_OFFSET * 4 - 1);
 
 	/* Calculate the year and day of year (1 <= dayOfYear <= 366). */
-	year = temp / DAYS_PER_4_YEARS;
+	{
+		long yearl = temp / DAYS_PER_4_YEARS;
+		if (yearl > INT_MAX || yearl < INT_MIN) {
+			goto fail;
+		}
+		year = (int) yearl;
+	}
 	dayOfYear = (temp % DAYS_PER_4_YEARS) / 4 + 1;
 
 	/* Calculate the month and day of month. */
@@ -196,6 +204,12 @@ void SdnToJulian(
 	*pYear = year;
 	*pMonth = month;
 	*pDay = day;
+	return;
+
+fail:
+	*pYear = 0;
+	*pMonth = 0;
+	*pDay = 0;
 }
 
 long int JulianToSdn(