From: Steve Dower <steve.dower@microsoft.com>
Date: Sat, 5 Sep 2015 19:16:06 +0000 (-0700)
Subject: Issue #24917: time_strftime() Buffer Over-read. Patch by John Leitch.
X-Git-Tag: v3.5.0rc3~8
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=373602fa3f3e54ca4f7e7a87948b6df86a17a3e6;p=python

Issue #24917: time_strftime() Buffer Over-read. Patch by John Leitch.
---

diff --git a/Lib/test/test_time.py b/Lib/test/test_time.py
index 6334e022e0..3f571a0e6f 100644
--- a/Lib/test/test_time.py
+++ b/Lib/test/test_time.py
@@ -174,6 +174,12 @@ class TimeTestCase(unittest.TestCase):
     def test_strftime_bounding_check(self):
         self._bounds_checking(lambda tup: time.strftime('', tup))
 
+    def test_strftime_format_check(self):
+        for x in [ '', 'A', '%A', '%AA' ]:
+            for y in range(0x0, 0x10):
+                for z in [ '%', 'A%', 'AA%', '%A%', 'A%A%', '%#' ]:
+                    self.assertRaises(ValueError, time.strftime, x * y + z)
+
     def test_default_values_for_zero(self):
         # Make sure that using all zeros uses the proper default
         # values.  No test for daylight savings since strftime() does
diff --git a/Misc/NEWS b/Misc/NEWS
index 2b1f278583..b8698eba35 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,8 @@ Release date: 2015-09-06
 Core and Builtins
 -----------------
 
+- Issue #24917: time_strftime() Buffer Over-read. Patch by John Leitch.
+
 - Issue #24912: Prevent __class__ assignment to immutable built-in objects.
 
 - Issue #24975: Fix AST compilation for PEP 448 syntax.
diff --git a/Modules/timemodule.c b/Modules/timemodule.c
index 197d2c0b8d..55e26fa8a2 100644
--- a/Modules/timemodule.c
+++ b/Modules/timemodule.c
@@ -623,6 +623,12 @@ time_strftime(PyObject *self, PyObject *args)
             Py_DECREF(format);
             return NULL;
         }
+        else if (outbuf[1] == '\0')
+        {
+            PyErr_SetString(PyExc_ValueError, "Incomplete format string");
+            Py_DECREF(format);
+            return NULL;
+        }
     }
 #elif (defined(_AIX) || defined(sun)) && defined(HAVE_WCSFTIME)
     for(outbuf = wcschr(fmt, '%');
@@ -636,6 +642,12 @@ time_strftime(PyObject *self, PyObject *args)
                             "format %y requires year >= 1900 on AIX");
             return NULL;
         }
+        else if (outbuf[1] == '\0')
+        {
+            PyErr_SetString(PyExc_ValueError, "Incomplete format string");
+            Py_DECREF(format);
+            return NULL;
+        }
     }
 #endif