gdate: Limit length of dates which can be parsed as valid

Realistically any date over 200 bytes long is not going to be valid, so
limit the input length so we can’t spend too long doing UTF-8 validation
or normalisation.

oss-fuzz#28718

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
This commit is contained in:
Philip Withnall 2020-12-18 11:38:31 +00:00
parent 4c6daefd6b
commit 3fc314ec38
2 changed files with 11 additions and 0 deletions

View File

@ -1229,12 +1229,19 @@ g_date_set_parse (GDate *d,
{
GDateParseTokens pt;
guint m = G_DATE_BAD_MONTH, day = G_DATE_BAD_DAY, y = G_DATE_BAD_YEAR;
gsize str_len;
g_return_if_fail (d != NULL);
/* set invalid */
g_date_clear (d, 1);
/* Anything longer than this is ridiculous and could take a while to normalize.
* This limit is chosen arbitrarily. */
str_len = strlen (str);
if (str_len > 200)
return;
/* The input has to be valid UTF-8. */
if (!g_utf8_validate (str, -1, NULL))
return;

View File

@ -191,6 +191,10 @@ test_parse_invalid (void)
{
/* Incomplete UTF-8 sequence */
"\xfd",
/* Ridiculously long input */
"12345678901234567890123456789012345678901234567890123456789012345678901234567890"
"12345678901234567890123456789012345678901234567890123456789012345678901234567890"
"12345678901234567890123456789012345678901234567890123456789012345678901234567890",
};
gsize i;