Fix GH-14709 overflow on recurrences for DatePeriod::__construct

devnexen · devnexen · commit 7b999fb6996a · 2024-12-12T17:48:30.000Z
diff --git a/ext/date/php_date.c b/ext/date/php_date.c
@@ -4903,19 +4903,31 @@ static bool date_period_init_iso8601_string(php_period_obj *dpobj, zend_class_en
 
 static bool date_period_init_finish(php_period_obj *dpobj, zend_long options, zend_long recurrences)
 {
-	if (dpobj->end == NULL && recurrences < 1) {
+	const zend_long max_recurrences = (INT_MAX - 8);
+
+	if (dpobj->end == NULL && (recurrences < 1 || recurrences > max_recurrences)) {
 		zend_string *func = get_active_function_or_method_name();
-		zend_throw_exception_ex(date_ce_date_malformed_period_string_exception, 0, "%s(): Recurrence count must be greater than 0", ZSTR_VAL(func));
+		zend_throw_exception_ex(NULL, 0, "%s(): Recurrence count must be greater or equal to 1 and lower than " ZEND_LONG_FMT, ZSTR_VAL(func), max_recurrences + 1);
 		zend_string_release(func);
 		return false;
 	}
 
+
 	/* options */
 	dpobj->include_start_date = !(options & PHP_DATE_PERIOD_EXCLUDE_START_DATE);
 	dpobj->include_end_date = options & PHP_DATE_PERIOD_INCLUDE_END_DATE;
 
-	/* recurrrences */
-	dpobj->recurrences = recurrences + dpobj->include_start_date + dpobj->include_end_date;
+	/* recurrences */
+	recurrences += dpobj->include_start_date + dpobj->include_end_date;
+
+	if (UNEXPECTED(recurrences > max_recurrences)) {
+		zend_string *func = get_active_function_or_method_name();
+		zend_throw_exception_ex(NULL, 0, "%s(): Recurrence count must be greater or equal to 1 and lower than " ZEND_LONG_FMT " (including options)", ZSTR_VAL(func), max_recurrences + 1);
+		zend_string_release(func);
+		return false;
+	}
+
+	dpobj->recurrences = (int)recurrences;
 
 	dpobj->initialized = 1;
 
diff --git a/ext/date/tests/DatePeriod_wrong_recurrence_on_constructor.phpt b/ext/date/tests/DatePeriod_wrong_recurrence_on_constructor.phpt
@@ -15,6 +15,6 @@ try {
 }
 
 ?>
---EXPECT--
-DatePeriod::__construct(): Recurrence count must be greater than 0
-DatePeriod::__construct(): Recurrence count must be greater than 0
+--EXPECTF--
+DatePeriod::__construct(): Recurrence count must be greater or equal to 1 and lower than %d
+DatePeriod::__construct(): Recurrence count must be greater or equal to 1 and lower than %d
diff --git a/ext/date/tests/gh14709.phpt b/ext/date/tests/gh14709.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug GH-14709 overflow on reccurences parameter
+--FILE--
+<?php
+$start = new DateTime('2018-12-31 00:00:00');
+$interval = new DateInterval('P1M');
+
+try {
+	new DatePeriod($start, $interval, 2147483640);
+} catch (Exception $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+
+try {
+	new DatePeriod($start, $interval, 2147483639, DatePeriod::EXCLUDE_START_DATE | DatePeriod::INCLUDE_END_DATE);
+} catch (Exception $e) {
+	echo $e->getMessage();
+}
+?>
+--EXPECTF--
+DatePeriod::__construct(): Recurrence count must be greater or equal to 1 and lower than %d
+DatePeriod::__construct(): Recurrence count must be greater or equal to 1 and lower than %d (including options)

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,6 @@ try {`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`?>`
`18`		`---EXPECT--`
`19`		`-DatePeriod::__construct(): Recurrence count must be greater than 0`
`20`		`-DatePeriod::__construct(): Recurrence count must be greater than 0`
	`18`	`+--EXPECTF--`
	`19`	`+DatePeriod::__construct(): Recurrence count must be greater or equal to 1 and lower than %d`
	`20`	`+DatePeriod::__construct(): Recurrence count must be greater or equal to 1 and lower than %d`