Commit 96a80b5a authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

parsedate: handle cut off numbers better 

... and don't read outside of the given buffer!

CVE-2016-8621

bug: https://curl.haxx.se/docs/adv_20161102G.html
Reported-by: Luật Nguyễn
parent 46133aa5

lib/parsedate.c

+7 −5
Original line number Diff line number Diff line
@@ -5,7 +5,7 @@ 
 *                            | (__| |_| |  _ <| |___

 *                             \___|\___/|_| \_\_____|

 *

 * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.

 * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.

 *

 * This software is licensed as described in the file COPYING, which

 * you should have received as part of this distribution. The terms
@@ -386,15 +386,17 @@ static int parsedate(const char *date, time_t *output) 
      /* a digit */

      int val;

      char *end;

      int len=0;

      if((secnum == -1) &&

         (3 == sscanf(date, "%02d:%02d:%02d", &hournum, &minnum, &secnum))) {

         (3 == sscanf(date, "%02d:%02d:%02d%n",

                      &hournum, &minnum, &secnum, &len))) {

        /* time stamp! */

        date += 8;

        date += len;

      }

      else if((secnum == -1) &&

              (2 == sscanf(date, "%02d:%02d", &hournum, &minnum))) {

              (2 == sscanf(date, "%02d:%02d%n", &hournum, &minnum, &len))) {

        /* time stamp without seconds */

        date += 5;

        date += len;

        secnum = 0;

      }

      else {

tests/data/test517

+6 −0
Original line number Diff line number Diff line
@@ -116,6 +116,12 @@ nothing 
81: 20111323 12:34:56 => -1

82: 20110623 12:34:79 => -1

83: Wed, 31 Dec 2008 23:59:60 GMT => 1230768000

84: 20110623 12:3 => 1308830580

85: 20110623 1:3 => 1308790980

86: 20110623 1:30 => 1308792600

87: 20110623 12:12:3 => 1308831123

88: 20110623 01:12:3 => 1308791523

89: 20110623 01:99:30 => -1

</stdout>



# This test case previously tested an overflow case ("2094 Nov 6 =>

tests/libtest/lib517.c

+7 −1
Original line number Diff line number Diff line
@@ -5,7 +5,7 @@ 
 *                            | (__| |_| |  _ <| |___

 *                             \___|\___/|_| \_\_____|

 *

 * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.

 * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.

 *

 * This software is licensed as described in the file COPYING, which

 * you should have received as part of this distribution. The terms
@@ -116,6 +116,12 @@ static const char * const dates[]={ 
  "20111323 12:34:56",

  "20110623 12:34:79",

  "Wed, 31 Dec 2008 23:59:60 GMT", /* leap second */

  "20110623 12:3",

  "20110623 1:3",

  "20110623 1:30",

  "20110623 12:12:3",

  "20110623 01:12:3",

  "20110623 01:99:30",

  NULL

};