Jeff Smith : msvcrt: Range-check fields used as array indices in _Strftime.

Thu Nov 21 16:33:27 CST 2019

Module: wine
Branch: master
Commit: 96b6e1d77cbcd4c7daa36fb010ed64fbae0694f3
URL:    https://source.winehq.org/git/wine.git/?a=commit;h=96b6e1d77cbcd4c7daa36fb010ed64fbae0694f3

Author: Jeff Smith <whydoubt at gmail.com>
Date:   Thu Nov 21 07:04:21 2019 -0600

msvcrt: Range-check fields used as array indices in _Strftime.

Signed-off-by: Jeff Smith <whydoubt at gmail.com>
Signed-off-by: Piotr Caban <piotr at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>

---

 dlls/msvcrt/time.c         | 16 ++++++++++++++++
 dlls/ucrtbase/tests/misc.c |  2 ++
 2 files changed, 18 insertions(+)

diff --git a/dlls/msvcrt/time.c b/dlls/msvcrt/time.c
index ec728a1a30..68784db861 100644
--- a/dlls/msvcrt/time.c
+++ b/dlls/msvcrt/time.c
@@ -1076,6 +1076,14 @@ static inline BOOL strftime_format(STRFTIME_CHAR *str, MSVCRT_size_t *pos, MSVCR
             if(format[count] == '\'') count++;
             break;
         case 'd':
+            if(count > 2)
+            {
+                if(!MSVCRT_CHECK_PMT(mstm->tm_wday>=0 && mstm->tm_wday<=6))
+                {
+                    *str = 0;
+                    return FALSE;
+                }
+            }
             switch(count) {
             case 1:
             case 2:
@@ -1092,6 +1100,14 @@ static inline BOOL strftime_format(STRFTIME_CHAR *str, MSVCRT_size_t *pos, MSVCR
             }
             break;
         case 'M':
+            if(count > 2)
+            {
+                if(!MSVCRT_CHECK_PMT(mstm->tm_mon>=0 && mstm->tm_mon<=11))
+                {
+                    *str = 0;
+                    return FALSE;
+                }
+            }
             switch(count) {
             case 1:
             case 2:
diff --git a/dlls/ucrtbase/tests/misc.c b/dlls/ucrtbase/tests/misc.c
index ca4e16c9fa..bc667382e9 100644
--- a/dlls/ucrtbase/tests/misc.c
+++ b/dlls/ucrtbase/tests/misc.c
@@ -1000,6 +1000,8 @@ static void test_strftime(void)
         {"%x", "02/30/70", { 0, 0, 0, 30, 1, 70, 4, 0, 0 }},
         {"%#x", "Thursday, January 01, 1970", { 0, 0, 0, 1, 0, 70, 4, 0, 0 }},
         {"%#x", "Thursday, February 30, 1970", { 0, 0, 0, 30, 1, 70, 4, 0, 0 }},
+        {"%#x", "", { 0, 0, 0, 30, 1, 70, 7, 0, 0 }},
+        {"%#x", "", { 0, 0, 0, 30, 12, 70, 4, 0, 0 }},
         {"%X", "00:00:00", { 0, 0, 0, 1, 0, 70, 4, 0, 0 }},
         {"%X", "14:00:00", { 0, 0, 14, 1, 0, 70, 4, 0, 0 }},
         {"%X", "23:59:60", { 60, 59, 23, 1, 0, 70, 4, 0, 0 }, TRUE},


