commit 9a72c36fc4346aa318610b3e5d206698f8f4e0bf
from: Timur Safin <tsafin@tarantool.org>
via: Sergey Bronnikov <sergeyb@tarantool.org>
date: Fri Mar 31 10:44:24 2023 UTC

datetime: fix buffer overflow in tnt_strptime

Fixes #8502
Needed for #8490

NO_DOC=bugfix
NO_TEST=covered by fuzzing test

commit - 10f7109c7e5c4cdf3339876e2ff150a19a36b308
commit + 9a72c36fc4346aa318610b3e5d206698f8f4e0bf
blob - /dev/null
blob + 104e22ca52d68a1c5d5e1833ecdacf06b638af85 (mode 644)
--- /dev/null
+++ changelogs/unreleased/gh-8502-fix-buffer-overflow-in-tnt_strptime.md
@@ -0,0 +1,3 @@
+## bugfix/datetime
+
+* Fixed a bug with buffer overflow in tnt_strptime (gh-8502).
blob - b208e2b965aa4df2dd3753c855237445297e1d4f
blob + 4cc4351fc9ff8b0523bfe504aaacb9b370638ad2
--- src/lib/tzcode/strptime.c
+++ src/lib/tzcode/strptime.c
@@ -125,9 +125,11 @@ tnt_strptime(const char *__restrict buf, const char *_
 		c = *ptr++;
 
 		if (c != '%') {
-			if (isspace((u_char)c))
+			/* Eat up white-space in buffer and in format. */
+			if (isspace((u_char)c)) {
 				while (*buf != 0 && isspace((u_char)*buf))
 					buf++;
+			}
 			else if (c != *buf++)
 				return NULL;
 			continue;
@@ -661,9 +663,10 @@ tnt_strptime(const char *__restrict buf, const char *_
 	if ((flags & (FLAG_YEAR | FLAG_YDAY)) == (FLAG_YEAR | FLAG_YDAY)) {
 		if (!(flags & FLAG_MONTH)) {
 			i = 0;
-			while (tm->tm_yday >=
-			       start_of_month[isleap(tm->tm_year +
-						     TM_YEAR_BASE)][i])
+			while (i <= 12 &&
+			       tm->tm_yday >=
+				       start_of_month[isleap(tm->tm_year +
+							     TM_YEAR_BASE)][i])
 				i++;
 			if (i > 12) {
 				i = 1;