From 5cf45ba5aba8d71f2c942254fe321906dfce4041 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Tue, 5 Aug 2025 19:38:15 +0200
Subject: [PATCH] Fix GH-19371: integer overflow in calendar.c

Closes GH-19380.
---
 NEWS                                          |  3 +
 ext/calendar/calendar.c                       | 25 ++++++++
 .../tests/cal_days_in_month_error1.phpt       |  2 +-
 ext/calendar/tests/gh19371.phpt               | 61 +++++++++++++++++++
 4 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 ext/calendar/tests/gh19371.phpt

diff --git a/NEWS b/NEWS
index ad06a4eef1b..33ce00bc0ca 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,9 @@ PHP                                                                        NEWS
     (ilutov)
   . Fixed zend call stack size for macOs/arm64. (David Carlier)
 
+- Calendar:
+  . Fixed bug GH-19371 (integer overflow in calendar.c). (nielsdos)
+
 - FTP:
   . Fix theoretical issues with hrtime() not being available. (nielsdos)
 
diff --git a/ext/calendar/calendar.c b/ext/calendar/calendar.c
index 6da7e69529e..b387b20c09b 100644
--- a/ext/calendar/calendar.c
+++ b/ext/calendar/calendar.c
@@ -194,6 +194,16 @@ PHP_FUNCTION(cal_days_in_month)
 		RETURN_THROWS();
 	}
 
+	if (UNEXPECTED(month <= 0 || month > INT32_MAX - 1)) {
+		zend_argument_value_error(2, "must be between 1 and %d", INT32_MAX - 1);
+		RETURN_THROWS();
+	}
+
+	if (UNEXPECTED(year > INT32_MAX - 1)) {
+		zend_argument_value_error(3, "must be less than %d", INT32_MAX - 1);
+		RETURN_THROWS();
+	}
+
 	calendar = &cal_conversion_table[cal];
 
 	sdn_start = calendar->to_jd(year, month, 1);
@@ -239,6 +249,21 @@ PHP_FUNCTION(cal_to_jd)
 		RETURN_THROWS();
 	}
 
+	if (UNEXPECTED(month <= 0 || month > INT32_MAX - 1)) {
+		zend_argument_value_error(2, "must be between 1 and %d", INT32_MAX - 1);
+		RETURN_THROWS();
+	}
+
+	if (UNEXPECTED(ZEND_LONG_EXCEEDS_INT(day))) {
+		zend_argument_value_error(3, "must be between %d and %d", INT32_MIN, INT32_MAX);
+		RETURN_THROWS();
+	}
+
+	if (UNEXPECTED(year > INT32_MAX - 1)) {
+		zend_argument_value_error(4, "must be less than %d", INT32_MAX - 1);
+		RETURN_THROWS();
+	}
+
 	RETURN_LONG(cal_conversion_table[cal].to_jd(year, month, day));
 }
 /* }}} */
diff --git a/ext/calendar/tests/cal_days_in_month_error1.phpt b/ext/calendar/tests/cal_days_in_month_error1.phpt
index f334888479f..e110c13cc2a 100644
--- a/ext/calendar/tests/cal_days_in_month_error1.phpt
+++ b/ext/calendar/tests/cal_days_in_month_error1.phpt
@@ -12,7 +12,7 @@ try {
     echo "{$ex->getMessage()}\n";
 }
 try{
-    cal_days_in_month(CAL_GREGORIAN,0, 2009);
+    cal_days_in_month(CAL_GREGORIAN,20, 2009);
 } catch (ValueError $ex) {
     echo "{$ex->getMessage()}\n";
 }
diff --git a/ext/calendar/tests/gh19371.phpt b/ext/calendar/tests/gh19371.phpt
new file mode 100644
index 00000000000..1d807a98388
--- /dev/null
+++ b/ext/calendar/tests/gh19371.phpt
@@ -0,0 +1,61 @@
+--TEST--
+GH-19371 (integer overflow in calendar.c)
+--SKIPIF--
+<?php if (PHP_INT_SIZE !== 8) die("skip only for 64-bit"); ?>
+--EXTENSIONS--
+calendar
+--FILE--
+<?php
+
+try {
+    echo cal_days_in_month(CAL_GREGORIAN, 12, PHP_INT_MAX);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    echo cal_days_in_month(CAL_GREGORIAN, PHP_INT_MIN, 1);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    echo cal_days_in_month(CAL_GREGORIAN, PHP_INT_MAX, 1);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+try {
+    echo cal_to_jd(CAL_GREGORIAN, PHP_INT_MIN, 1, 1);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    echo cal_to_jd(CAL_GREGORIAN, PHP_INT_MAX, 1, 1);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    echo cal_to_jd(CAL_GREGORIAN, 1, PHP_INT_MIN, 1);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    echo cal_to_jd(CAL_GREGORIAN, 1, PHP_INT_MAX, 1);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    echo cal_to_jd(CAL_GREGORIAN, 1, 1, PHP_INT_MAX);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+cal_days_in_month(): Argument #3 ($year) must be less than 2147483646
+cal_days_in_month(): Argument #2 ($month) must be between 1 and 2147483646
+cal_days_in_month(): Argument #2 ($month) must be between 1 and 2147483646
+cal_to_jd(): Argument #2 ($month) must be between 1 and 2147483646
+cal_to_jd(): Argument #2 ($month) must be between 1 and 2147483646
+cal_to_jd(): Argument #3 ($day) must be between -2147483648 and 2147483647
+cal_to_jd(): Argument #3 ($day) must be between -2147483648 and 2147483647
+cal_to_jd(): Argument #4 ($year) must be less than 2147483646