Check month overflow when marshal

https://hackerone.com/reports/1244185
author: Nobuyoshi Nakada <nobu@ruby-lang.org> 2021-06-26 01:48:01 +0900
committer: Nobuyoshi Nakada <nobu@ruby-lang.org> 2021-12-09 21:51:39 +0900
commit: da652e1827a47c8ee37fab72832ba8324c94911f (patch)
tree: 0fcb107e35a26a3ef65f175052506c474930c510
parent: 12a0a89e22fbc312e4a95a7749bc153532daa855 (diff)
2 files changed, 11 insertions, 1 deletions
diff --git a/test/ruby/test_time.rb b/test/ruby/test_time.rb
index c629a59c02..b3dc5d99e3 100644
--- a/test/ruby/test_time.rb
+++ b/test/ruby/test_time.rb
@@ -386,6 +386,11 @@ class TestTime < Test::Unit::TestCase
     end
   end
 
+  def test_marshal_broken_month
+    data = "\x04\x08u:\tTime\r\x20\x7c\x1e\xc0\x00\x00\x00\x00"
+    assert_equal(Time.utc(2022, 4, 1), Marshal.load(data))
+  end
+
   def test_marshal_distant_past
     assert_marshal_roundtrip(Time.utc(1890, 1, 1))
     assert_marshal_roundtrip(Time.utc(-4.5e9, 1, 1))
diff --git a/time.c b/time.c
index 9c23089cfd..8f044e1e59 100644
--- a/time.c
+++ b/time.c
@@ -5251,8 +5251,13 @@ time_mload(VALUE time, VALUE str)
                 year = rb_int_plus(year, year_extend);
             }
         }
+        unsigned int mon = ((int)(p >> 10) & 0xf); /* 0...12 */
+        if (mon >= 12) {
+            mon -= 12;
+            year = addv(year, LONG2FIX(1));
+        }
         vtm.year = year;
-	vtm.mon  = ((int)(p >> 10) & 0xf) + 1;
+	vtm.mon  = mon + 1;
 	vtm.mday = (int)(p >>  5) & 0x1f;
 	vtm.hour = (int) p        & 0x1f;
 	vtm.min  = (int)(s >> 26) & 0x3f;
author	Nobuyoshi Nakada <nobu@ruby-lang.org>	2021-06-26 01:48:01 +0900
committer	Nobuyoshi Nakada <nobu@ruby-lang.org>	2021-12-09 21:51:39 +0900
commit	da652e1827a47c8ee37fab72832ba8324c94911f (patch)
tree	0fcb107e35a26a3ef65f175052506c474930c510
parent	12a0a89e22fbc312e4a95a7749bc153532daa855 (diff)