msvcrt: Range-check fields used as array indices in _Strftime.

Signed-off-by: Jeff Smith <whydoubt@gmail.com> Signed-off-by: Piotr Caban <piotr@codeweavers.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>
2019-11-21 07:04:21 -06:00 · 2019-11-21 07:04:21 -06:00 · 96b6e1d77c
parent 23ee25435e
commit 96b6e1d77c
2 changed files with 18 additions and 0 deletions
--- a/dlls/msvcrt/time.c
+++ b/dlls/msvcrt/time.c
@ -1076,6 +1076,14 @@ static inline BOOL strftime_format(STRFTIME_CHAR *str, MSVCRT_size_t *pos, MSVCR
            if(format[count] == '\'') count++;
            break;
        case 'd':
+            if(count > 2)
+            {
+                if(!MSVCRT_CHECK_PMT(mstm->tm_wday>=0 && mstm->tm_wday<=6))
+                {
+                    *str = 0;
+                    return FALSE;
+                }
+            }
            switch(count) {
            case 1:
            case 2:
@ -1092,6 +1100,14 @@ static inline BOOL strftime_format(STRFTIME_CHAR *str, MSVCRT_size_t *pos, MSVCR
            }
            break;
        case 'M':
+            if(count > 2)
+            {
+                if(!MSVCRT_CHECK_PMT(mstm->tm_mon>=0 && mstm->tm_mon<=11))
+                {
+                    *str = 0;
+                    return FALSE;
+                }
+            }
            switch(count) {
            case 1:
            case 2:
--- a/dlls/ucrtbase/tests/misc.c
+++ b/dlls/ucrtbase/tests/misc.c
@ -1000,6 +1000,8 @@ static void test_strftime(void)
        {"%x", "02/30/70", { 0, 0, 0, 30, 1, 70, 4, 0, 0 }},
        {"%#x", "Thursday, January 01, 1970", { 0, 0, 0, 1, 0, 70, 4, 0, 0 }},
        {"%#x", "Thursday, February 30, 1970", { 0, 0, 0, 30, 1, 70, 4, 0, 0 }},
+        {"%#x", "", { 0, 0, 0, 30, 1, 70, 7, 0, 0 }},
+        {"%#x", "", { 0, 0, 0, 30, 12, 70, 4, 0, 0 }},
        {"%X", "00:00:00", { 0, 0, 0, 1, 0, 70, 4, 0, 0 }},
        {"%X", "14:00:00", { 0, 0, 14, 1, 0, 70, 4, 0, 0 }},
        {"%X", "23:59:60", { 60, 59, 23, 1, 0, 70, 4, 0, 0 }, TRUE},