From: Stanislav Malyshev Date: Mon, 12 May 2014 02:34:21 +0000 (-0700) Subject: Fix bug #67251 - date_parse_from_format out-of-bounds read X-Git-Tag: php-5.3.29RC1~27 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3c328f09840c58698cedd6bbd30bdc8a24f5b41f;p=php Fix bug #67251 - date_parse_from_format out-of-bounds read Conflicts: ext/date/lib/parse_date.c ext/date/lib/parse_date.re --- diff --git a/ext/date/lib/parse_date.c b/ext/date/lib/parse_date.c index 8583f30a59..a3364ef7f8 100644 --- a/ext/date/lib/parse_date.c +++ b/ext/date/lib/parse_date.c @@ -25121,7 +25121,11 @@ timelib_time *timelib_parse_from_format(char *format, char *string, int len, tim break; case '\\': /* escaped char */ - *fptr++; + if(!fptr[1]) { + add_pbf_error(s, "Escaped character expected", string, begin); + break; + } + fptr++; if (*ptr == *fptr) { ++ptr; } else { diff --git a/ext/date/lib/parse_date.re b/ext/date/lib/parse_date.re index b130fd0e57..1fbd670592 100644 --- a/ext/date/lib/parse_date.re +++ b/ext/date/lib/parse_date.re @@ -2128,7 +2128,11 @@ timelib_time *timelib_parse_from_format(char *format, char *string, int len, tim break; case '\\': /* escaped char */ - *fptr++; + if(!fptr[1]) { + add_pbf_error(s, "Escaped character expected", string, begin); + break; + } + fptr++; if (*ptr == *fptr) { ++ptr; } else { diff --git a/ext/date/tests/bug67251.phpt b/ext/date/tests/bug67251.phpt new file mode 100644 index 0000000000..68c56a1613 --- /dev/null +++ b/ext/date/tests/bug67251.phpt @@ -0,0 +1,38 @@ +--TEST-- +Bug #67251 (date_parse_from_format out-of-bounds read) +--INI-- +date.timezone=Europe/Berlin +--FILE-- + + bool(false) + ["month"]=> + bool(false) + ["day"]=> + bool(false) + ["hour"]=> + bool(false) + ["minute"]=> + bool(false) + ["second"]=> + bool(false) + ["fraction"]=> + bool(false) + ["warning_count"]=> + int(0) + ["warnings"]=> + array(0) { + } + ["error_count"]=> + int(2) + ["errors"]=> + array(1) { + [0]=> + string(13) "Trailing data" + } + ["is_localtime"]=> + bool(false) +}