Open Bug 1023437 Opened 7 years ago

der_TimeStringToTime bounds checking for days in month is too relaxed

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

People

(Reporter: cviecco, Unassigned)

Details

Currently we only check that the days in month values are between 1 and 31 (inclusive) which means a Feb 31 day is considered valid.

const uint8_t DER_GENERALIZED_TIME_INVALID_DAY_FEB[] = {
  0x18,
  15,
  '1', '9', '9', '1', '0', '2', '3', '0', '1', '6', '4', '5', '4', '0', 'Z'
  };

is decoded successfully (by DER_GeneralizedTimeToTime which calls derTimeStringToTime) returning 667932340000000 which is  Sat, 02 Mar 1991 16:45:40 GMT.

expected result: failure
You need to log in before you can comment on or make changes to this bug.