Integer overflow in SndToJewish leads to php hang

remicollet · remicollet · commit 4828f7343b3f · 2013-05-21T18:04:17.000+02:00
AT least in (inputDay is long, metonicCycle is int):
   metonicCycle = (inputDay + 310) / 6940;

So large value give strange (negative) results or php hangs.
This is patch already applied in some linux distro.
diff --git a/ext/calendar/jewish.c b/ext/calendar/jewish.c
@@ -272,6 +272,7 @@
 #define HALAKIM_PER_METONIC_CYCLE (HALAKIM_PER_LUNAR_CYCLE * (12 * 19 + 7))
 
 #define JEWISH_SDN_OFFSET 347997
+#define JEWISH_SDN_MAX 38245310 /* year 103759, 100000 A.D. */
 #define NEW_MOON_OF_CREATION 31524
 
 #define SUNDAY    0
@@ -519,7 +520,7 @@ void SdnToJewish(
 	int tishri1After;
 	int yearLength;
 
-	if (sdn <= JEWISH_SDN_OFFSET) {
+	if (sdn <= JEWISH_SDN_OFFSET || sdn > JEWISH_SDN_MAX) {
 		*pYear = 0;
 		*pMonth = 0;
 		*pDay = 0;
diff --git a/ext/calendar/tests/jdtojewish64.phpt b/ext/calendar/tests/jdtojewish64.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Integer overflow in SndToJewish leads to php hang 
+--SKIPIF--
+<?php 
+include 'skipif.inc';
+if (PHP_INT_SIZE == 4) {
+        die("skip this test is for 64bit platform only");
+}
+?>
+--FILE--
+<?php
+$a = array(38245310, 38245311, 9223372036854743639);
+
+foreach ($a as $x) var_dump(jdtojewish($x));
+--EXPECTF--
+string(11) "2/22/103759"
+string(5) "0/0/0"
+string(5) "0/0/0"
