From 2ccd2b016df2c4cf8ff36a65b5875f1a7e39ac21 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Sat, 14 Jun 2025 11:11:38 +0100
Subject: [PATCH] ext/calendar: jewishtojd overflow on year argument.

Upper limit set to the 7th millenium (Messianic Age) in the jewish calendar,
 around 2239 year in the gregorian calendar.

close GH-18849
---
 NEWS                                 |  3 +++
 ext/calendar/calendar.c              |  5 +++++
 ext/calendar/jewish.c                |  2 +-
 ext/calendar/tests/gh16234_2.phpt    | 11 +++++++++++
 ext/calendar/tests/gh16234_2_64.phpt | 21 +++++++++++++++++++++
 5 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 ext/calendar/tests/gh16234_2.phpt
 create mode 100644 ext/calendar/tests/gh16234_2_64.phpt

diff --git a/NEWS b/NEWS
index ea77125b205..fd344ee94c7 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.3.24
 
+- Calendar:
+  . Fixed jewishtojd overflow on year argument. (David Carlier)
+
 - Core:
   . Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction
     order). (Daniil Gentili)
diff --git a/ext/calendar/calendar.c b/ext/calendar/calendar.c
index 756ce0e90dc..6da7e69529e 100644
--- a/ext/calendar/calendar.c
+++ b/ext/calendar/calendar.c
@@ -490,6 +490,11 @@ PHP_FUNCTION(jewishtojd)
 		RETURN_THROWS();
 	}
 
+	if (ZEND_LONG_EXCEEDS_INT(year)) {
+		zend_argument_value_error(3, "must be between %d and %d", INT_MIN, INT_MAX);
+		RETURN_THROWS();
+	}
+
 	RETURN_LONG(JewishToSdn(year, month, day));
 }
 /* }}} */
diff --git a/ext/calendar/jewish.c b/ext/calendar/jewish.c
index bdfc9b4f910..2fbdcb059b0 100644
--- a/ext/calendar/jewish.c
+++ b/ext/calendar/jewish.c
@@ -714,7 +714,7 @@ zend_long JewishToSdn(
 	int yearLength;
 	int lengthOfAdarIAndII;
 
-	if (year <= 0 || day <= 0 || day > 30) {
+	if (year <= 0 || year >= 6000 || day <= 0 || day > 30) {
 		return (0);
 	}
 	switch (month) {
diff --git a/ext/calendar/tests/gh16234_2.phpt b/ext/calendar/tests/gh16234_2.phpt
new file mode 100644
index 00000000000..76db2b9abf2
--- /dev/null
+++ b/ext/calendar/tests/gh16234_2.phpt
@@ -0,0 +1,11 @@
+--TEST--
+GH-16234 jewishtojd overflow on year argument
+--EXTENSIONS--
+calendar
+--FILE--
+<?php
+jewishtojd(10, 6, 2147483647);
+echo "DONE";
+?>
+--EXPECTF--
+DONE
diff --git a/ext/calendar/tests/gh16234_2_64.phpt b/ext/calendar/tests/gh16234_2_64.phpt
new file mode 100644
index 00000000000..7da25460965
--- /dev/null
+++ b/ext/calendar/tests/gh16234_2_64.phpt
@@ -0,0 +1,21 @@
+--TEST--
+GH-16234 jewishtojd overflow on year argument
+--EXTENSIONS--
+calendar
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE == 4) {
+        die("skip this test is for 64bit platform only");
+}
+?>
+--FILE--
+<?php
+try {
+	jewishtojd(10, 6, PHP_INT_MIN);
+} catch (\ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+?>
+--EXPECTF--
+jewishtojd(): Argument #3 ($year) must be between %i and %d
+