Fix GH-19371: integer overflow in calendar.c

Closes GH-19380.

Author: nielsdos

NEWS

@@ -21,6 +21,9 @@ PHP                                                                        NEWS
     (ilutov)
   . Fixed zend call stack size for macOs/arm64. (David Carlier)
 
+- Calendar:
+  . Fixed bug GH-19371 (integer overflow in calendar.c). (nielsdos)
+
 - FTP:
   . Fix theoretical issues with hrtime() not being available. (nielsdos)
 

ext/calendar/calendar.c

@@ -194,6 +194,16 @@ PHP_FUNCTION(cal_days_in_month)
 		RETURN_THROWS();
 	}
 
+	if (UNEXPECTED(month <= 0 || month > INT32_MAX - 1)) {
+		zend_argument_value_error(2, "must be between 1 and %d", INT32_MAX - 1);
+		RETURN_THROWS();
+	}
+
+	if (UNEXPECTED(year > INT32_MAX - 1)) {
+		zend_argument_value_error(3, "must be less than %d", INT32_MAX - 1);
+		RETURN_THROWS();
+	}
+
 	calendar = &cal_conversion_table[cal];
 
 	sdn_start = calendar->to_jd(year, month, 1);
@@ -239,6 +249,21 @@ PHP_FUNCTION(cal_to_jd)
 		RETURN_THROWS();
 	}
 
+	if (UNEXPECTED(month <= 0 || month > INT32_MAX - 1)) {
+		zend_argument_value_error(2, "must be between 1 and %d", INT32_MAX - 1);
+		RETURN_THROWS();
+	}
+
+	if (UNEXPECTED(ZEND_LONG_EXCEEDS_INT(day))) {
+		zend_argument_value_error(3, "must be between %d and %d", INT32_MIN, INT32_MAX);
+		RETURN_THROWS();
+	}
+
+	if (UNEXPECTED(year > INT32_MAX - 1)) {
+		zend_argument_value_error(4, "must be less than %d", INT32_MAX - 1);
+		RETURN_THROWS();
+	}
+
 	RETURN_LONG(cal_conversion_table[cal].to_jd(year, month, day));
 }
 /* }}} */

ext/calendar/tests/cal_days_in_month_error1.phpt

@@ -12,7 +12,7 @@ try {
     echo "{$ex->getMessage()}\n";
 }
 try{
-    cal_days_in_month(CAL_GREGORIAN,0, 2009);
+    cal_days_in_month(CAL_GREGORIAN,20, 2009);
 } catch (ValueError $ex) {
     echo "{$ex->getMessage()}\n";
 }

ext/calendar/tests/gh19371.phpt

@@ -0,0 +1,61 @@
+--TEST--
+GH-19371 (integer overflow in calendar.c)
+--SKIPIF--
+<?php if (PHP_INT_SIZE !== 8) die("skip only for 64-bit"); ?>
+--EXTENSIONS--
+calendar
+--FILE--
+<?php
+
+try {
+    echo cal_days_in_month(CAL_GREGORIAN, 12, PHP_INT_MAX);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    echo cal_days_in_month(CAL_GREGORIAN, PHP_INT_MIN, 1);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    echo cal_days_in_month(CAL_GREGORIAN, PHP_INT_MAX, 1);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+try {
+    echo cal_to_jd(CAL_GREGORIAN, PHP_INT_MIN, 1, 1);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    echo cal_to_jd(CAL_GREGORIAN, PHP_INT_MAX, 1, 1);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    echo cal_to_jd(CAL_GREGORIAN, 1, PHP_INT_MIN, 1);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    echo cal_to_jd(CAL_GREGORIAN, 1, PHP_INT_MAX, 1);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    echo cal_to_jd(CAL_GREGORIAN, 1, 1, PHP_INT_MAX);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+cal_days_in_month(): Argument #3 ($year) must be less than 2147483646
+cal_days_in_month(): Argument #2 ($month) must be between 1 and 2147483646
+cal_days_in_month(): Argument #2 ($month) must be between 1 and 2147483646
+cal_to_jd(): Argument #2 ($month) must be between 1 and 2147483646
+cal_to_jd(): Argument #2 ($month) must be between 1 and 2147483646
+cal_to_jd(): Argument #3 ($day) must be between -2147483648 and 2147483647
+cal_to_jd(): Argument #3 ($day) must be between -2147483648 and 2147483647
+cal_to_jd(): Argument #4 ($year) must be less than 2147483646