From 0a80849250162d89b674f7e65144e463e107b8cd Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 11 May 2014 19:34:21 -0700
Subject: Fix bug #67251 - date_parse_from_format out-of-bounds read

---
 NEWS                         |  1 +
 ext/date/lib/parse_date.c    |  6 +++++-
 ext/date/lib/parse_date.re   |  4 ++++
 ext/date/tests/bug67251.phpt | 38 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 ext/date/tests/bug67251.phpt

diff --git a/NEWS b/NEWS
index 03f8b87daf..ec1ad06f1f 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,7 @@ PHP                                                                        NEWS
 
 - Date:
   . Fixed bug #67118 (DateTime constructor crash with invalid data). (Anatol)
+  . Fixed bug #67251 (date_parse_from_format out-of-bounds read). (Stas)
 
 - DOM:
   . Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag,
diff --git a/ext/date/lib/parse_date.c b/ext/date/lib/parse_date.c
index 47b48178c2..4b83451f90 100644
--- a/ext/date/lib/parse_date.c
+++ b/ext/date/lib/parse_date.c
@@ -1,4 +1,4 @@
-/* Generated by re2c 0.13.5 on Sat Jan 25 15:48:30 2014 */
+/* Generated by re2c 0.13.5 on Sun May 11 19:30:56 2014 */
 #line 1 "ext/date/lib/parse_date.re"
 /*
    +----------------------------------------------------------------------+
@@ -25124,6 +25124,10 @@ timelib_time *timelib_parse_from_format(char *format, char *string, int len, tim
 				break;
 
 			case '\\': /* escaped char */
+                if(!fptr[1]) {
+				    add_pbf_error(s, "Escaped character expected", string, begin);
+                    break;
+                }
 				fptr++;
 				if (*ptr == *fptr) {
 					++ptr;
diff --git a/ext/date/lib/parse_date.re b/ext/date/lib/parse_date.re
index 5b923d4bc4..2a0687cbaa 100644
--- a/ext/date/lib/parse_date.re
+++ b/ext/date/lib/parse_date.re
@@ -2131,6 +2131,10 @@ timelib_time *timelib_parse_from_format(char *format, char *string, int len, tim
 				break;
 
 			case '\\': /* escaped char */
+                if(!fptr[1]) {
+				    add_pbf_error(s, "Escaped character expected", string, begin);
+                    break;
+                }
 				fptr++;
 				if (*ptr == *fptr) {
 					++ptr;
diff --git a/ext/date/tests/bug67251.phpt b/ext/date/tests/bug67251.phpt
new file mode 100644
index 0000000000..68c56a1613
--- /dev/null
+++ b/ext/date/tests/bug67251.phpt
@@ -0,0 +1,38 @@
+--TEST--
+Bug #67251 (date_parse_from_format out-of-bounds read)
+--INI--
+date.timezone=Europe/Berlin
+--FILE--
+<?php
+var_dump(date_parse_from_format("\\","AAAABBBB"));
+--EXPECT--
+array(12) {
+  ["year"]=>
+  bool(false)
+  ["month"]=>
+  bool(false)
+  ["day"]=>
+  bool(false)
+  ["hour"]=>
+  bool(false)
+  ["minute"]=>
+  bool(false)
+  ["second"]=>
+  bool(false)
+  ["fraction"]=>
+  bool(false)
+  ["warning_count"]=>
+  int(0)
+  ["warnings"]=>
+  array(0) {
+  }
+  ["error_count"]=>
+  int(2)
+  ["errors"]=>
+  array(1) {
+    [0]=>
+    string(13) "Trailing data"
+  }
+  ["is_localtime"]=>
+  bool(false)
+}
-- 
cgit v1.2.1