| 1 |
|
| 2 |
https://bugzilla.redhat.com/show_bug.cgi?id=689386 |
| 3 |
|
| 4 |
http://svn.php.net/viewvc/?view=revision&revision=306475 |
| 5 |
|
| 6 |
plus: |
| 7 |
http://svn.php.net/viewvc?view=revision&revision=317360 |
| 8 |
http://svn.php.net/viewvc?view=revision&revision=317387 |
| 9 |
http://svn.php.net/viewvc?view=revision&revision=317393 |
| 10 |
|
| 11 |
plus similar fix for jewish.c |
| 12 |
|
| 13 |
--- php-5.3.3/ext/calendar/gregor.c.cve1466 |
| 14 |
+++ php-5.3.3/ext/calendar/gregor.c |
| 15 |
@@ -127,6 +127,7 @@ |
| 16 |
**************************************************************************/ |
| 17 |
|
| 18 |
#include "sdncal.h" |
| 19 |
+#include <limits.h> |
| 20 |
|
| 21 |
#define GREGOR_SDN_OFFSET 32045 |
| 22 |
#define DAYS_PER_5_MONTHS 153 |
| 23 |
@@ -146,21 +147,12 @@ void SdnToGregorian( |
| 24 |
long int temp; |
| 25 |
int dayOfYear; |
| 26 |
|
| 27 |
- if (sdn <= 0) { |
| 28 |
- *pYear = 0; |
| 29 |
- *pMonth = 0; |
| 30 |
- *pDay = 0; |
| 31 |
- return; |
| 32 |
+ if (sdn <= 0 || |
| 33 |
+ sdn > (LONG_MAX - 4 * GREGOR_SDN_OFFSET) / 4) { |
| 34 |
+ goto fail; |
| 35 |
} |
| 36 |
temp = (sdn + GREGOR_SDN_OFFSET) * 4 - 1; |
| 37 |
|
| 38 |
- if (temp < 0) { |
| 39 |
- *pYear = 0; |
| 40 |
- *pMonth = 0; |
| 41 |
- *pDay = 0; |
| 42 |
- return; |
| 43 |
- } |
| 44 |
- |
| 45 |
/* Calculate the century (year/100). */ |
| 46 |
century = temp / DAYS_PER_400_YEARS; |
| 47 |
|
| 48 |
@@ -190,6 +182,12 @@ void SdnToGregorian( |
| 49 |
*pYear = year; |
| 50 |
*pMonth = month; |
| 51 |
*pDay = day; |
| 52 |
+ return; |
| 53 |
+ |
| 54 |
+fail: |
| 55 |
+ *pYear = 0; |
| 56 |
+ *pMonth = 0; |
| 57 |
+ *pDay = 0; |
| 58 |
} |
| 59 |
|
| 60 |
long int GregorianToSdn( |
| 61 |
--- php-5.3.3/ext/calendar/jewish.c.cve1466 |
| 62 |
+++ php-5.3.3/ext/calendar/jewish.c |
| 63 |
@@ -272,6 +272,7 @@ |
| 64 |
#define HALAKIM_PER_METONIC_CYCLE (HALAKIM_PER_LUNAR_CYCLE * (12 * 19 + 7)) |
| 65 |
|
| 66 |
#define JEWISH_SDN_OFFSET 347997 |
| 67 |
+#define JEWISH_SDN_MAX 38245310 /* year 103759, 100000 A.D. */ |
| 68 |
#define NEW_MOON_OF_CREATION 31524 |
| 69 |
|
| 70 |
#define SUNDAY 0 |
| 71 |
@@ -519,7 +520,7 @@ void SdnToJewish( |
| 72 |
int tishri1After; |
| 73 |
int yearLength; |
| 74 |
|
| 75 |
- if (sdn <= JEWISH_SDN_OFFSET) { |
| 76 |
+ if (sdn <= JEWISH_SDN_OFFSET || sdn > JEWISH_SDN_MAX) { |
| 77 |
*pYear = 0; |
| 78 |
*pMonth = 0; |
| 79 |
*pDay = 0; |
| 80 |
--- php-5.3.3/ext/calendar/julian.c.cve1466 |
| 81 |
+++ php-5.3.3/ext/calendar/julian.c |
| 82 |
@@ -146,6 +146,7 @@ |
| 83 |
**************************************************************************/ |
| 84 |
|
| 85 |
#include "sdncal.h" |
| 86 |
+#include <limits.h> |
| 87 |
|
| 88 |
#define JULIAN_SDN_OFFSET 32083 |
| 89 |
#define DAYS_PER_5_MONTHS 153 |
| 90 |
@@ -164,15 +165,22 @@ void SdnToJulian( |
| 91 |
int dayOfYear; |
| 92 |
|
| 93 |
if (sdn <= 0) { |
| 94 |
- *pYear = 0; |
| 95 |
- *pMonth = 0; |
| 96 |
- *pDay = 0; |
| 97 |
- return; |
| 98 |
+ goto fail; |
| 99 |
} |
| 100 |
- temp = (sdn + JULIAN_SDN_OFFSET) * 4 - 1; |
| 101 |
+ /* Check for overflow */ |
| 102 |
+ if (sdn > (LONG_MAX - JULIAN_SDN_OFFSET * 4 + 1) / 4 || sdn < LONG_MIN / 4) { |
| 103 |
+ goto fail; |
| 104 |
+ } |
| 105 |
+ temp = sdn * 4 + (JULIAN_SDN_OFFSET * 4 - 1); |
| 106 |
|
| 107 |
/* Calculate the year and day of year (1 <= dayOfYear <= 366). */ |
| 108 |
- year = temp / DAYS_PER_4_YEARS; |
| 109 |
+ { |
| 110 |
+ long yearl = temp / DAYS_PER_4_YEARS; |
| 111 |
+ if (yearl > INT_MAX || yearl < INT_MIN) { |
| 112 |
+ goto fail; |
| 113 |
+ } |
| 114 |
+ year = (int) yearl; |
| 115 |
+ } |
| 116 |
dayOfYear = (temp % DAYS_PER_4_YEARS) / 4 + 1; |
| 117 |
|
| 118 |
/* Calculate the month and day of month. */ |
| 119 |
@@ -196,6 +204,12 @@ void SdnToJulian( |
| 120 |
*pYear = year; |
| 121 |
*pMonth = month; |
| 122 |
*pDay = day; |
| 123 |
+ return; |
| 124 |
+ |
| 125 |
+fail: |
| 126 |
+ *pYear = 0; |
| 127 |
+ *pMonth = 0; |
| 128 |
+ *pDay = 0; |
| 129 |
} |
| 130 |
|
| 131 |
long int JulianToSdn( |
Parent Directory
| 
Revision Log
| 
Revision Graph
