Fix parsing issue involving effective dates

Cory Duplantis reported that "A specially crafted journal file can cause [an] integer underflow resulting in code execution". Cory provided this test case: Expenses:Food:Groceries $ 37.50 ; ] [=2004/01/01] Note the ] that comes before [ after the ;. This issue was reported and described in great detail by Cory Duplantis of Cisco Talos. This issue is known as TALOS-2017-0303 and has been assigned CVE-2017-2807. Cory's description can be found at https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0303 Fixes #1722
ledger · Jan 16, 2019 · 5682f37 · 5682f37
1 parent bec7d3e
commit 5682f37
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 1 deletion.
diff --git a/doc/NEWS b/doc/NEWS
@@ -42,6 +42,9 @@
 
 - Do not parse user-specified init-file twice
 
+- Fix parsing issue of effective dates (bug #1722, TALOS-2017-0303,
+  CVE-2017-2807)
+
 - Python: Removed double quotes from Unicode values.
 
 - Python: Ensure that parse errors produce useful RuntimeErrors

diff --git a/src/item.cc b/src/item.cc
@@ -152,7 +152,7 @@ void item_t::parse_tags(const char * p,
     if (const char * b = std::strchr(p, '[')) {
       if (*(b + 1) != '\0' &&
           (std::isdigit(*(b + 1)) || *(b + 1) == '=')) {
-        if (const char * e = std::strchr(p, ']')) {
+        if (const char * e = std::strchr(b, ']')) {
           char buf[256];
           std::strncpy(buf, b + 1, static_cast<std::size_t>(e - b - 1));
           buf[e - b - 1] = '\0';

diff --git a/test/regress/1722.test b/test/regress/1722.test
@@ -0,0 +1,12 @@
+
+2003/12/20 Organic Co-op
+  Expenses:Food:Groceries             $ 37.50  ; ] [=2004/01/01]
+  Assets:Cash                         $-37.50
+
+test bal
+            $ -37.50  Assets:Cash
+             $ 37.50  Expenses:Food:Groceries
+--------------------
+                   0
+end test
+