[Pkg-php-commits] [php/debian-squeeze] Fix integer overflow in the SdnToJulian (has CVE-2011-1466)
Ondřej Surý
ondrej at sury.org
Sat May 14 09:35:41 UTC 2011
---
debian/patches/CVE-2011-1466.patch | 90 ++++++++++++++++++++
.../fix-integer-overflow-in-SdnToJulian.patch | 90 --------------------
debian/patches/series | 2 +-
3 files changed, 91 insertions(+), 91 deletions(-)
create mode 100644 debian/patches/CVE-2011-1466.patch
delete mode 100644 debian/patches/fix-integer-overflow-in-SdnToJulian.patch
diff --git a/debian/patches/CVE-2011-1466.patch b/debian/patches/CVE-2011-1466.patch
new file mode 100644
index 0000000..6f1510a
--- /dev/null
+++ b/debian/patches/CVE-2011-1466.patch
@@ -0,0 +1,90 @@
+--- /dev/null
++++ b/ext/calendar/tests/bug53574.phpt
+@@ -0,0 +1,35 @@
++--TEST--
++Bug #53574 (Integer overflow in SdnToJulian; leads to segfault)
++--SKIPIF--
++<?php include 'skipif.inc'; ?>
++--FILE--
++<?php
++if (PHP_INT_MAX == 0x7FFFFFFF) {
++ $x = 882858043;
++} else {
++ $x = 3315881921229094912;
++}
++
++var_dump(cal_from_jd($x, CAL_JULIAN));
++--EXPECT--
++array(9) {
++ ["date"]=>
++ string(5) "0/0/0"
++ ["month"]=>
++ int(0)
++ ["day"]=>
++ int(0)
++ ["year"]=>
++ int(0)
++ ["dow"]=>
++ int(3)
++ ["abbrevdayname"]=>
++ string(3) "Wed"
++ ["dayname"]=>
++ string(9) "Wednesday"
++ ["abbrevmonth"]=>
++ string(0) ""
++ ["monthname"]=>
++ string(0) ""
++}
++
+--- a/ext/calendar/julian.c
++++ b/ext/calendar/julian.c
+@@ -146,6 +146,7 @@
+ **************************************************************************/
+
+ #include "sdncal.h"
++#include <limits.h>
+
+ #define JULIAN_SDN_OFFSET 32083
+ #define DAYS_PER_5_MONTHS 153
+@@ -164,15 +165,22 @@ void SdnToJulian(
+ int dayOfYear;
+
+ if (sdn <= 0) {
+- *pYear = 0;
+- *pMonth = 0;
+- *pDay = 0;
+- return;
++ goto fail;
+ }
+- temp = (sdn + JULIAN_SDN_OFFSET) * 4 - 1;
++ /* Check for overflow */
++ if (sdn > (LONG_MAX - JULIAN_SDN_OFFSET * 4 + 1) / 4 || sdn < LONG_MIN / 4) {
++ goto fail;
++ }
++ temp = sdn * 4 + (JULIAN_SDN_OFFSET * 4 - 1);
+
+ /* Calculate the year and day of year (1 <= dayOfYear <= 366). */
+- year = temp / DAYS_PER_4_YEARS;
++ {
++ long yearl = temp / DAYS_PER_4_YEARS;
++ if (yearl > INT_MAX || yearl < INT_MIN) {
++ goto fail;
++ }
++ year = (int) yearl;
++ }
+ dayOfYear = (temp % DAYS_PER_4_YEARS) / 4 + 1;
+
+ /* Calculate the month and day of month. */
+@@ -196,6 +204,12 @@ void SdnToJulian(
+ *pYear = year;
+ *pMonth = month;
+ *pDay = day;
++ return;
++
++fail:
++ *pYear = 0;
++ *pMonth = 0;
++ *pDay = 0;
+ }
+
+ long int JulianToSdn(
diff --git a/debian/patches/fix-integer-overflow-in-SdnToJulian.patch b/debian/patches/fix-integer-overflow-in-SdnToJulian.patch
deleted file mode 100644
index 6f1510a..0000000
--- a/debian/patches/fix-integer-overflow-in-SdnToJulian.patch
+++ /dev/null
@@ -1,90 +0,0 @@
---- /dev/null
-+++ b/ext/calendar/tests/bug53574.phpt
-@@ -0,0 +1,35 @@
-+--TEST--
-+Bug #53574 (Integer overflow in SdnToJulian; leads to segfault)
-+--SKIPIF--
-+<?php include 'skipif.inc'; ?>
-+--FILE--
-+<?php
-+if (PHP_INT_MAX == 0x7FFFFFFF) {
-+ $x = 882858043;
-+} else {
-+ $x = 3315881921229094912;
-+}
-+
-+var_dump(cal_from_jd($x, CAL_JULIAN));
-+--EXPECT--
-+array(9) {
-+ ["date"]=>
-+ string(5) "0/0/0"
-+ ["month"]=>
-+ int(0)
-+ ["day"]=>
-+ int(0)
-+ ["year"]=>
-+ int(0)
-+ ["dow"]=>
-+ int(3)
-+ ["abbrevdayname"]=>
-+ string(3) "Wed"
-+ ["dayname"]=>
-+ string(9) "Wednesday"
-+ ["abbrevmonth"]=>
-+ string(0) ""
-+ ["monthname"]=>
-+ string(0) ""
-+}
-+
---- a/ext/calendar/julian.c
-+++ b/ext/calendar/julian.c
-@@ -146,6 +146,7 @@
- **************************************************************************/
-
- #include "sdncal.h"
-+#include <limits.h>
-
- #define JULIAN_SDN_OFFSET 32083
- #define DAYS_PER_5_MONTHS 153
-@@ -164,15 +165,22 @@ void SdnToJulian(
- int dayOfYear;
-
- if (sdn <= 0) {
-- *pYear = 0;
-- *pMonth = 0;
-- *pDay = 0;
-- return;
-+ goto fail;
- }
-- temp = (sdn + JULIAN_SDN_OFFSET) * 4 - 1;
-+ /* Check for overflow */
-+ if (sdn > (LONG_MAX - JULIAN_SDN_OFFSET * 4 + 1) / 4 || sdn < LONG_MIN / 4) {
-+ goto fail;
-+ }
-+ temp = sdn * 4 + (JULIAN_SDN_OFFSET * 4 - 1);
-
- /* Calculate the year and day of year (1 <= dayOfYear <= 366). */
-- year = temp / DAYS_PER_4_YEARS;
-+ {
-+ long yearl = temp / DAYS_PER_4_YEARS;
-+ if (yearl > INT_MAX || yearl < INT_MIN) {
-+ goto fail;
-+ }
-+ year = (int) yearl;
-+ }
- dayOfYear = (temp % DAYS_PER_4_YEARS) / 4 + 1;
-
- /* Calculate the month and day of month. */
-@@ -196,6 +204,12 @@ void SdnToJulian(
- *pYear = year;
- *pMonth = month;
- *pDay = day;
-+ return;
-+
-+fail:
-+ *pYear = 0;
-+ *pMonth = 0;
-+ *pDay = 0;
- }
-
- long int JulianToSdn(
diff --git a/debian/patches/series b/debian/patches/series
index e6f3bcf..7a6f7bc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -80,7 +80,7 @@ do-not-overwrite-GLOBALS-and-this.patch
fix-crash-if-aa-steps-are-invalid.patch
fix-crash-with-entity-declarations-in-simplexml.patch
fix-for-NULL-deref-in-zend_language_scanner.patch
-fix-integer-overflow-in-SdnToJulian.patch
+CVE-2011-1466.patch
fix-leak-and-possible-crash-introduced-by-the-null-poisoning-patch.patch
fix-leaks-and-crash-bug-when-passing-the-callback-as-variable.patch
fix-memory-leak-inside-highlight_string.patch
--
1.7.1
More information about the Pkg-php-commits
mailing list