1 |
|
|
2 |
|
https://bugzilla.redhat.com/show_bug.cgi?id=689386 |
3 |
|
|
4 |
|
http://svn.php.net/viewvc/?view=revision&revision=306475 |
5 |
|
|
6 |
|
plus: |
7 |
|
http://svn.php.net/viewvc?view=revision&revision=317360 |
8 |
|
http://svn.php.net/viewvc?view=revision&revision=317387 |
9 |
|
http://svn.php.net/viewvc?view=revision&revision=317393 |
10 |
|
|
11 |
|
plus similar fix for jewish.c |
12 |
|
|
13 |
|
--- php-5.3.3/ext/calendar/gregor.c.cve1466 |
14 |
|
+++ php-5.3.3/ext/calendar/gregor.c |
15 |
|
@@ -127,6 +127,7 @@ |
16 |
|
**************************************************************************/ |
17 |
|
|
18 |
|
#include "sdncal.h" |
19 |
|
+#include <limits.h> |
20 |
|
|
21 |
|
#define GREGOR_SDN_OFFSET 32045 |
22 |
|
#define DAYS_PER_5_MONTHS 153 |
23 |
|
@@ -146,21 +147,12 @@ void SdnToGregorian( |
24 |
|
long int temp; |
25 |
|
int dayOfYear; |
26 |
|
|
27 |
|
- if (sdn <= 0) { |
28 |
|
- *pYear = 0; |
29 |
|
- *pMonth = 0; |
30 |
|
- *pDay = 0; |
31 |
|
- return; |
32 |
|
+ if (sdn <= 0 || |
33 |
|
+ sdn > (LONG_MAX - 4 * GREGOR_SDN_OFFSET) / 4) { |
34 |
|
+ goto fail; |
35 |
|
} |
36 |
|
temp = (sdn + GREGOR_SDN_OFFSET) * 4 - 1; |
37 |
|
|
38 |
|
- if (temp < 0) { |
39 |
|
- *pYear = 0; |
40 |
|
- *pMonth = 0; |
41 |
|
- *pDay = 0; |
42 |
|
- return; |
43 |
|
- } |
44 |
|
- |
45 |
|
/* Calculate the century (year/100). */ |
46 |
|
century = temp / DAYS_PER_400_YEARS; |
47 |
|
|
48 |
|
@@ -190,6 +182,12 @@ void SdnToGregorian( |
49 |
|
*pYear = year; |
50 |
|
*pMonth = month; |
51 |
|
*pDay = day; |
52 |
|
+ return; |
53 |
|
+ |
54 |
|
+fail: |
55 |
|
+ *pYear = 0; |
56 |
|
+ *pMonth = 0; |
57 |
|
+ *pDay = 0; |
58 |
|
} |
59 |
|
|
60 |
|
long int GregorianToSdn( |
61 |
|
--- php-5.3.3/ext/calendar/jewish.c.cve1466 |
62 |
|
+++ php-5.3.3/ext/calendar/jewish.c |
63 |
|
@@ -272,6 +272,7 @@ |
64 |
|
#define HALAKIM_PER_METONIC_CYCLE (HALAKIM_PER_LUNAR_CYCLE * (12 * 19 + 7)) |
65 |
|
|
66 |
|
#define JEWISH_SDN_OFFSET 347997 |
67 |
|
+#define JEWISH_SDN_MAX 38245310 /* year 103759, 100000 A.D. */ |
68 |
|
#define NEW_MOON_OF_CREATION 31524 |
69 |
|
|
70 |
|
#define SUNDAY 0 |
71 |
|
@@ -519,7 +520,7 @@ void SdnToJewish( |
72 |
|
int tishri1After; |
73 |
|
int yearLength; |
74 |
|
|
75 |
|
- if (sdn <= JEWISH_SDN_OFFSET) { |
76 |
|
+ if (sdn <= JEWISH_SDN_OFFSET || sdn > JEWISH_SDN_MAX) { |
77 |
|
*pYear = 0; |
78 |
|
*pMonth = 0; |
79 |
|
*pDay = 0; |
80 |
|
--- php-5.3.3/ext/calendar/julian.c.cve1466 |
81 |
|
+++ php-5.3.3/ext/calendar/julian.c |
82 |
|
@@ -146,6 +146,7 @@ |
83 |
|
**************************************************************************/ |
84 |
|
|
85 |
|
#include "sdncal.h" |
86 |
|
+#include <limits.h> |
87 |
|
|
88 |
|
#define JULIAN_SDN_OFFSET 32083 |
89 |
|
#define DAYS_PER_5_MONTHS 153 |
90 |
|
@@ -164,15 +165,22 @@ void SdnToJulian( |
91 |
|
int dayOfYear; |
92 |
|
|
93 |
|
if (sdn <= 0) { |
94 |
|
- *pYear = 0; |
95 |
|
- *pMonth = 0; |
96 |
|
- *pDay = 0; |
97 |
|
- return; |
98 |
|
+ goto fail; |
99 |
|
} |
100 |
|
- temp = (sdn + JULIAN_SDN_OFFSET) * 4 - 1; |
101 |
|
+ /* Check for overflow */ |
102 |
|
+ if (sdn > (LONG_MAX - JULIAN_SDN_OFFSET * 4 + 1) / 4 || sdn < LONG_MIN / 4) { |
103 |
|
+ goto fail; |
104 |
|
+ } |
105 |
|
+ temp = sdn * 4 + (JULIAN_SDN_OFFSET * 4 - 1); |
106 |
|
|
107 |
|
/* Calculate the year and day of year (1 <= dayOfYear <= 366). */ |
108 |
|
- year = temp / DAYS_PER_4_YEARS; |
109 |
|
+ { |
110 |
|
+ long yearl = temp / DAYS_PER_4_YEARS; |
111 |
|
+ if (yearl > INT_MAX || yearl < INT_MIN) { |
112 |
|
+ goto fail; |
113 |
|
+ } |
114 |
|
+ year = (int) yearl; |
115 |
|
+ } |
116 |
|
dayOfYear = (temp % DAYS_PER_4_YEARS) / 4 + 1; |
117 |
|
|
118 |
|
/* Calculate the month and day of month. */ |
119 |
|
@@ -196,6 +204,12 @@ void SdnToJulian( |
120 |
|
*pYear = year; |
121 |
|
*pMonth = month; |
122 |
|
*pDay = day; |
123 |
|
+ return; |
124 |
|
+ |
125 |
|
+fail: |
126 |
|
+ *pYear = 0; |
127 |
|
+ *pMonth = 0; |
128 |
|
+ *pDay = 0; |
129 |
|
} |
130 |
|
|
131 |
|
long int JulianToSdn( |