Fix bug #67251 - date_parse_from_format out-of-bounds read

author Stanislav Malyshev <stas@php.net>

Mon, 12 May 2014 02:34:21 +0000 (19:34 -0700)

committer Stanislav Malyshev <stas@php.net>

Sun, 15 Jun 2014 07:33:24 +0000 (00:33 -0700)
author Stanislav Malyshev <stas@php.net>
Mon, 12 May 2014 02:34:21 +0000 (19:34 -0700)
committer Stanislav Malyshev <stas@php.net>
Sun, 15 Jun 2014 07:33:24 +0000 (00:33 -0700)
diff --git a/ext/date/lib/parse_date.c b/ext/date/lib/parse_date.c

index 8583f30a595f62f7dbd36a90975a3d082f49e4c4..a3364ef7f8d8c3a246fc6eae1ac3e00e9c1a9418 100644 (file)
--- a/ext/date/lib/parse_date.c
+++ b/ext/date/lib/parse_date.c
@@ -25121,7 +25121,11 @@ timelib_time *timelib_parse_from_format(char *format, char *string, int len, tim
                                 break;
  
                         case '\\': /* escaped char */
-                               *fptr++;
+                if(!fptr[1]) {
+                                   add_pbf_error(s, "Escaped character expected", string, begin);
+                    break;
+                }
+                               fptr++;
                                 if (*ptr == *fptr) {
                                         ++ptr;
                                 } else {
diff --git a/ext/date/lib/parse_date.re b/ext/date/lib/parse_date.re

index b130fd0e574d2d5b246c1d44d2214c0f035370e6..1fbd67059222d19d724606b9fd79242482b300bc 100644 (file)
--- a/ext/date/lib/parse_date.re
+++ b/ext/date/lib/parse_date.re
@@ -2128,7 +2128,11 @@ timelib_time *timelib_parse_from_format(char *format, char *string, int len, tim
                                 break;
  
                         case '\\': /* escaped char */
-                               *fptr++;
+                if(!fptr[1]) {
+                                   add_pbf_error(s, "Escaped character expected", string, begin);
+                    break;
+                }
+                               fptr++;
                                 if (*ptr == *fptr) {
                                         ++ptr;
                                 } else {
diff --git a/ext/date/tests/bug67251.phpt b/ext/date/tests/bug67251.phpt

new file mode 100644 (file)

index 0000000..68c56a1
--- /dev/null
+++ b/ext/date/tests/bug67251.phpt
@@ -0,0 +1,38 @@
+--TEST--
+Bug #67251 (date_parse_from_format out-of-bounds read)
+--INI--
+date.timezone=Europe/Berlin
+--FILE--
+<?php
+var_dump(date_parse_from_format("\\","AAAABBBB"));
+--EXPECT--
+array(12) {
+  ["year"]=>
+  bool(false)
+  ["month"]=>
+  bool(false)
+  ["day"]=>
+  bool(false)
+  ["hour"]=>
+  bool(false)
+  ["minute"]=>
+  bool(false)
+  ["second"]=>
+  bool(false)
+  ["fraction"]=>
+  bool(false)
+  ["warning_count"]=>
+  int(0)
+  ["warnings"]=>
+  array(0) {
+  }
+  ["error_count"]=>
+  int(2)
+  ["errors"]=>
+  array(1) {
+    [0]=>
+    string(13) "Trailing data"
+  }
+  ["is_localtime"]=>
+  bool(false)
+}
author	Stanislav Malyshev <stas@php.net>
	Mon, 12 May 2014 02:34:21 +0000 (19:34 -0700)
committer	Stanislav Malyshev <stas@php.net>
	Sun, 15 Jun 2014 07:33:24 +0000 (00:33 -0700)
ext/date/lib/parse_date.c		patch \| blob \| history
ext/date/lib/parse_date.re		patch \| blob \| history
ext/date/tests/bug67251.phpt	[new file with mode: 0644]	patch \| blob