Fix GH-14709 overflow on recurrences for DatePeriod::__construct

devnexen · devnexen · commit 16c0e5753000 · 2024-12-20T15:03:47.000Z
close GH-14710
diff --git a/NEWS b/NEWS
@@ -9,6 +9,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-17101 (AST->string does not reproduce constructor property
     promotion correctly). (nielsdos)
 
+- Date:
+  . Fixed bug GH-14709 DatePeriod::__construct() overflow on recurrences.
+    (David Carlier)
+
 - DBA:
   . Skip test if inifile is disabled. (orlitzky)
 
diff --git a/ext/date/php_date.c b/ext/date/php_date.c
@@ -4903,9 +4903,11 @@ static bool date_period_init_iso8601_string(php_period_obj *dpobj, zend_class_en
 
 static bool date_period_init_finish(php_period_obj *dpobj, zend_long options, zend_long recurrences)
 {
-	if (dpobj->end == NULL && recurrences < 1) {
+	const zend_long max_recurrences = (INT_MAX - 8);
+
+	if (dpobj->end == NULL && (recurrences < 1 || recurrences > max_recurrences)) {
 		zend_string *func = get_active_function_or_method_name();
-		zend_throw_exception_ex(date_ce_date_malformed_period_string_exception, 0, "%s(): Recurrence count must be greater than 0", ZSTR_VAL(func));
+		zend_throw_exception_ex(date_ce_date_malformed_period_string_exception, 0, "%s(): Recurrence count must be greater or equal to 1 and lower than " ZEND_LONG_FMT, ZSTR_VAL(func), max_recurrences + 1);
 		zend_string_release(func);
 		return false;
 	}
@@ -4914,8 +4916,17 @@ static bool date_period_init_finish(php_period_obj *dpobj, zend_long options, ze
 	dpobj->include_start_date = !(options & PHP_DATE_PERIOD_EXCLUDE_START_DATE);
 	dpobj->include_end_date = options & PHP_DATE_PERIOD_INCLUDE_END_DATE;
 
-	/* recurrrences */
-	dpobj->recurrences = recurrences + dpobj->include_start_date + dpobj->include_end_date;
+	/* recurrences */
+	recurrences += dpobj->include_start_date + dpobj->include_end_date;
+
+	if (UNEXPECTED(recurrences > max_recurrences)) {
+		zend_string *func = get_active_function_or_method_name();
+		zend_throw_exception_ex(date_ce_date_malformed_string_exception, 0, "%s(): Recurrence count must be greater or equal to 1 and lower than " ZEND_LONG_FMT " (including options)", ZSTR_VAL(func), max_recurrences + 1);
+		zend_string_release(func);
+		return false;
+	}
+
+	dpobj->recurrences = (int)recurrences;
 
 	dpobj->initialized = 1;
 
diff --git a/ext/date/tests/DatePeriod_wrong_recurrence_on_constructor.phpt b/ext/date/tests/DatePeriod_wrong_recurrence_on_constructor.phpt
@@ -15,6 +15,6 @@ try {
 }
 
 ?>
---EXPECT--
-DatePeriod::__construct(): Recurrence count must be greater than 0
-DatePeriod::__construct(): Recurrence count must be greater than 0
+--EXPECTF--
+DatePeriod::__construct(): Recurrence count must be greater or equal to 1 and lower than %d
+DatePeriod::__construct(): Recurrence count must be greater or equal to 1 and lower than %d
diff --git a/ext/date/tests/date_period_bad_iso_format.phpt b/ext/date/tests/date_period_bad_iso_format.phpt
@@ -40,10 +40,10 @@ try {
 }
 
 ?>
---EXPECT--
+--EXPECTF--
 DateMalformedPeriodStringException: DatePeriod::__construct(): ISO interval must contain a start date, "R4" given
 DateMalformedPeriodStringException: DatePeriod::createFromISO8601String(): ISO interval must contain a start date, "R4" given
 DateMalformedPeriodStringException: DatePeriod::__construct(): ISO interval must contain an interval, "R4/2012-07-01T00:00:00Z" given
 DateMalformedPeriodStringException: DatePeriod::createFromISO8601String(): ISO interval must contain an interval, "R4/2012-07-01T00:00:00Z" given
-DateMalformedPeriodStringException: DatePeriod::__construct(): Recurrence count must be greater than 0
-DateMalformedPeriodStringException: DatePeriod::createFromISO8601String(): Recurrence count must be greater than 0
+DateMalformedPeriodStringException: DatePeriod::__construct(): Recurrence count must be greater or equal to 1 and lower than %d
+DateMalformedPeriodStringException: DatePeriod::createFromISO8601String(): Recurrence count must be greater or equal to 1 and lower than %d
diff --git a/ext/date/tests/gh14709.phpt b/ext/date/tests/gh14709.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug GH-14709 overflow on reccurences parameter
+--FILE--
+<?php
+$start = new DateTime('2018-12-31 00:00:00');
+$interval = new DateInterval('P1M');
+
+try {
+	new DatePeriod($start, $interval, 2147483640);
+} catch (Exception $e) {
+	echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
+
+try {
+	new DatePeriod($start, $interval, 2147483639, DatePeriod::EXCLUDE_START_DATE | DatePeriod::INCLUDE_END_DATE);
+} catch (Exception $e) {
+	echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
+?>
+--EXPECTF--
+DateMalformedPeriodStringException: DatePeriod::__construct(): Recurrence count must be greater or equal to 1 and lower than %d
+DateMalformedStringException: DatePeriod::__construct(): Recurrence count must be greater or equal to 1 and lower than %d (including options)

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,6 @@ try {`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`?>`
`18`		`---EXPECT--`
`19`		`-DatePeriod::__construct(): Recurrence count must be greater than 0`
`20`		`-DatePeriod::__construct(): Recurrence count must be greater than 0`
	`18`	`+--EXPECTF--`
	`19`	`+DatePeriod::__construct(): Recurrence count must be greater or equal to 1 and lower than %d`
	`20`	`+DatePeriod::__construct(): Recurrence count must be greater or equal to 1 and lower than %d`