Fix bug #67251 - date_parse_from_format out-of-bounds read

diff --git a/NEWS b/NEWS
index 03f8b87daf95e520b8158f7e35dcb18bd3cf2bd2..ec1ad06f1f05f6e66ef272e38689f0a09a72287f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,7 @@ PHP                                                                        NEWS
 
 - Date:
   . Fixed bug #67118 (DateTime constructor crash with invalid data). (Anatol)
+  . Fixed bug #67251 (date_parse_from_format out-of-bounds read). (Stas)
 
 - DOM:
   . Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag,

diff --git a/ext/date/lib/parse_date.c b/ext/date/lib/parse_date.c
index 47b48178c2dc5fe1e1a712b1a13acd08acdd2789..4b83451f908a6b35d8c3f8faafe3f4446ffebf01 100644 (file)
--- a/ext/date/lib/parse_date.c
+++ b/ext/date/lib/parse_date.c
@@ -1,4 +1,4 @@
-/* Generated by re2c 0.13.5 on Sat Jan 25 15:48:30 2014 */
+/* Generated by re2c 0.13.5 on Sun May 11 19:30:56 2014 */
 #line 1 "ext/date/lib/parse_date.re"
 /*
    +----------------------------------------------------------------------+
@@ -25124,6 +25124,10 @@ timelib_time *timelib_parse_from_format(char *format, char *string, int len, tim
                                break;
 
                        case '\\': /* escaped char */
+                if(!fptr[1]) {
+                                   add_pbf_error(s, "Escaped character expected", string, begin);
+                    break;
+                }
                                fptr++;
                                if (*ptr == *fptr) {
                                        ++ptr;

diff --git a/ext/date/lib/parse_date.re b/ext/date/lib/parse_date.re
index 5b923d4bc41b2d06c1e13bff020dde8e145faeae..2a0687cbaaaf8e363eb0beab274c9fbdbe307651 100644 (file)
--- a/ext/date/lib/parse_date.re
+++ b/ext/date/lib/parse_date.re
@@ -2131,6 +2131,10 @@ timelib_time *timelib_parse_from_format(char *format, char *string, int len, tim
                                break;
 
                        case '\\': /* escaped char */
+                if(!fptr[1]) {
+                                   add_pbf_error(s, "Escaped character expected", string, begin);
+                    break;
+                }
                                fptr++;
                                if (*ptr == *fptr) {
                                        ++ptr;

diff --git a/ext/date/tests/bug67251.phpt b/ext/date/tests/bug67251.phpt
new file mode 100644 (file)
index 0000000..68c56a1
--- /dev/null
+++ b/ext/date/tests/bug67251.phpt
@@ -0,0 +1,38 @@
+--TEST--
+Bug #67251 (date_parse_from_format out-of-bounds read)
+--INI--
+date.timezone=Europe/Berlin
+--FILE--
+<?php
+var_dump(date_parse_from_format("\\","AAAABBBB"));
+--EXPECT--
+array(12) {
+  ["year"]=>
+  bool(false)
+  ["month"]=>
+  bool(false)
+  ["day"]=>
+  bool(false)
+  ["hour"]=>
+  bool(false)
+  ["minute"]=>
+  bool(false)
+  ["second"]=>
+  bool(false)
+  ["fraction"]=>
+  bool(false)
+  ["warning_count"]=>
+  int(0)
+  ["warnings"]=>
+  array(0) {
+  }
+  ["error_count"]=>
+  int(2)
+  ["errors"]=>
+  array(1) {
+    [0]=>
+    string(13) "Trailing data"
+  }
+  ["is_localtime"]=>
+  bool(false)
+}