From 5682f377aed5b0db6b6c4a44b1d8868103b7e9f7 Mon Sep 17 00:00:00 2001
From: Martin Michlmayr <tbm@cyrius.com>
Date: Tue, 15 Jan 2019 20:55:53 -0300
Subject: Fix parsing issue involving effective dates

Cory Duplantis reported that "A specially crafted journal file can
cause [an] integer underflow resulting in code execution".  Cory
provided this test case:

    Expenses:Food:Groceries             $ 37.50  ; ] [=2004/01/01]

Note the ] that comes before [ after the ;.

This issue was reported and described in great detail by Cory Duplantis
of Cisco Talos.  This issue is known as TALOS-2017-0303 and has been
assigned CVE-2017-2807.  Cory's description can be found at
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0303

Fixes #1722
---
 src/item.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/item.cc b/src/item.cc
index bd025c52..7132103e 100644
--- a/src/item.cc
+++ b/src/item.cc
@@ -152,7 +152,7 @@ void item_t::parse_tags(const char * p,
     if (const char * b = std::strchr(p, '[')) {
       if (*(b + 1) != '\0' &&
           (std::isdigit(*(b + 1)) || *(b + 1) == '=')) {
-        if (const char * e = std::strchr(p, ']')) {
+        if (const char * e = std::strchr(b, ']')) {
           char buf[256];
           std::strncpy(buf, b + 1, static_cast<std::size_t>(e - b - 1));
           buf[e - b - 1] = '\0';
-- 
cgit v1.2.3