Merge remote-tracking branch 'derickr/gh9763' into PHP-8.0

derickr · derickr · commit 47b9ea1957dd · 2022-10-17T18:21:35.000+01:00
diff --git a/ext/date/php_date.c b/ext/date/php_date.c
@@ -3438,6 +3438,12 @@ static int timezone_initialize(php_timezone_obj *tzobj, const char *tz, size_t t
 	}
 
 	dummy_t->z = timelib_parse_zone(&tz, &dst, dummy_t, &not_found, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper);
+	if ((dummy_t->z >= (100 * 60 * 60)) || (dummy_t->z <= (-100 * 60 * 60))) {
+		php_error_docref(NULL, E_WARNING, "Timezone offset is out of range (%s)", orig_tz);
+		timelib_free(dummy_t->tz_abbr);
+		efree(dummy_t);
+		return FAILURE;
+	}
 	dummy_t->dst = dst;
 	if (!not_found && (*tz != '\0')) {
 		php_error_docref(NULL, E_WARNING, "Unknown or bad timezone (%s)", orig_tz);
diff --git a/ext/date/tests/bug-gh9763.phpt b/ext/date/tests/bug-gh9763.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Test bug GH-9763: DateTimeZone ctr mishandles input and adds null byte if the argument is an offset larger than 100*60 minutes
+--FILE--
+<?php
+date_default_timezone_set('UTC');
+
+foreach ( [ '+99:60', '+99:62', '-99:62', '-99:60', '+9960', '-9960', '+9959', '-9959' ] as $test )
+{
+	echo "Testing {$test}: ";
+	try {
+		$d = new DateTimeZone($test);
+		echo $d->getName(), "\n";
+	} catch (Exception $e) {
+		echo $e->getMessage(), "\n";
+	}
+}
+
+
+?>
+--EXPECT--
+Testing +99:60: DateTimeZone::__construct(): Timezone offset is out of range (+99:60)
+Testing +99:62: DateTimeZone::__construct(): Timezone offset is out of range (+99:62)
+Testing -99:62: DateTimeZone::__construct(): Timezone offset is out of range (-99:62)
+Testing -99:60: DateTimeZone::__construct(): Timezone offset is out of range (-99:60)
+Testing +9960: DateTimeZone::__construct(): Timezone offset is out of range (+9960)
+Testing -9960: DateTimeZone::__construct(): Timezone offset is out of range (-9960)
+Testing +9959: +99:59
+Testing -9959: -99:59
