[PATCH 4/5] msvcrt: Range-check fields used as array indices in _Strftime.

Thu Nov 21 07:04:21 CST 2019

Signed-off-by: Jeff Smith <whydoubt at gmail.com>
---
 dlls/msvcrt/time.c         | 16 ++++++++++++++++
 dlls/ucrtbase/tests/misc.c |  2 ++
 2 files changed, 18 insertions(+)

diff --git a/dlls/msvcrt/time.c b/dlls/msvcrt/time.c
index ec728a1a30..68784db861 100644
--- a/dlls/msvcrt/time.c
+++ b/dlls/msvcrt/time.c
@@ -1076,6 +1076,14 @@ static inline BOOL strftime_format(STRFTIME_CHAR *str, MSVCRT_size_t *pos, MSVCR
             if(format[count] == '\'') count++;
             break;
         case 'd':
+            if(count > 2)
+            {
+                if(!MSVCRT_CHECK_PMT(mstm->tm_wday>=0 && mstm->tm_wday<=6))
+                {
+                    *str = 0;
+                    return FALSE;
+                }
+            }
             switch(count) {
             case 1:
             case 2:
@@ -1092,6 +1100,14 @@ static inline BOOL strftime_format(STRFTIME_CHAR *str, MSVCRT_size_t *pos, MSVCR
             }
             break;
         case 'M':
+            if(count > 2)
+            {
+                if(!MSVCRT_CHECK_PMT(mstm->tm_mon>=0 && mstm->tm_mon<=11))
+                {
+                    *str = 0;
+                    return FALSE;
+                }
+            }
             switch(count) {
             case 1:
             case 2:
diff --git a/dlls/ucrtbase/tests/misc.c b/dlls/ucrtbase/tests/misc.c
index ca4e16c9fa..bc667382e9 100644
--- a/dlls/ucrtbase/tests/misc.c
+++ b/dlls/ucrtbase/tests/misc.c
@@ -1000,6 +1000,8 @@ static void test_strftime(void)
         {"%x", "02/30/70", { 0, 0, 0, 30, 1, 70, 4, 0, 0 }},
         {"%#x", "Thursday, January 01, 1970", { 0, 0, 0, 1, 0, 70, 4, 0, 0 }},
         {"%#x", "Thursday, February 30, 1970", { 0, 0, 0, 30, 1, 70, 4, 0, 0 }},
+        {"%#x", "", { 0, 0, 0, 30, 1, 70, 7, 0, 0 }},
+        {"%#x", "", { 0, 0, 0, 30, 12, 70, 4, 0, 0 }},
         {"%X", "00:00:00", { 0, 0, 0, 1, 0, 70, 4, 0, 0 }},
         {"%X", "14:00:00", { 0, 0, 14, 1, 0, 70, 4, 0, 0 }},
         {"%X", "23:59:60", { 60, 59, 23, 1, 0, 70, 4, 0, 0 }, TRUE},
-- 
2.23.0


