Decode: restrict timezone offset values (pelletier#696)

Don't allow hours greater than 24 and minutes greater than 60 per RFC 3339.
ocean2811 · Dec 2, 2021 · f53bc74 · f53bc74
1 parent 9bf9be6
commit f53bc74
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/decode.go b/decode.go
@@ -117,10 +117,17 @@ func parseDateTime(b []byte) (time.Time, error) {
 		if err != nil {
 			return time.Time{}, err
 		}
+		if hours > 24 {
+			return time.Time{}, newDecodeError(b[:1], "invalid timezone offset hours")
+		}
+
 		minutes, err := parseDecimalDigits(b[4:6])
 		if err != nil {
 			return time.Time{}, err
 		}
+		if minutes > 60 {
+			return time.Time{}, newDecodeError(b[:1], "invalid timezone offset minutes")
+		}
 
 		seconds := direction * (hours*3600 + minutes*60)
 		zone = time.FixedZone("", seconds)

diff --git a/unmarshaler_test.go b/unmarshaler_test.go
@@ -2632,6 +2632,14 @@ world'`,
 			desc: `invalid number of seconds digits with trailing digit`,
 			data: `a=0000-01-01 00:00:000000Z3`,
 		},
+		{
+			desc: `invalid zone offset hours`,
+			data: `a=0000-01-01 00:00:00+25:00`,
+		},
+		{
+			desc: `invalid zone offset minutes`,
+			data: `a=0000-01-01 00:00:00+00:61`,
+		},
 		{
 			desc: `invalid character in zone offset hours`,
 			data: `a=0000-01-01 00:00:00+0Z:00`,