Add checks for ascii digits in time decode functions

padelsbach · padelsbach · commit 5b83257c52d7 · 2026-04-21T15:01:03.000-07:00
diff --git a/src/ssl_asn1.c b/src/ssl_asn1.c
@@ -4293,6 +4293,14 @@ static int wolfssl_utctime_year(const unsigned char* str, int len, int* year)
         ret = 0;
     }
 
+    if (ret == 1) {
+        if ((str[0] < '0') || (str[0] > '9') ||
+            (str[1] < '0') || (str[1] > '9')) {
+            WOLFSSL_MSG("Invalid characters in UTC year.");
+            ret = 0;
+        }
+    }
+
     if (ret == 1) {
         int tm_year;
         /* 2-digit year. */
@@ -4334,6 +4342,16 @@ static int wolfssl_gentime_year(const unsigned char* str, int len, int* year)
         ret = 0;
     }
 
+    if (ret == 1) {
+        if ((str[0] < '0') || (str[0] > '9') ||
+            (str[1] < '0') || (str[1] > '9') ||
+            (str[2] < '0') || (str[2] > '9') ||
+            (str[3] < '0') || (str[3] > '9')) {
+            WOLFSSL_MSG("Invalid characters in generalized year.");
+            ret = 0;
+        }
+    }
+
     if (ret == 1) {
         int tm_year;
         /* 4-digit year. */
@@ -4406,8 +4424,22 @@ static int wolfssl_asn1_time_to_tm(const WOLFSSL_ASN1_TIME* asnTime,
             WOLFSSL_MSG("asnTime->type is invalid.");
             ret = 0;
         }
-     }
-     if (ret == 1) {
+    }
+
+    if (ret == 1) {
+        int j;
+        /* Validate 10 digits: MMDDHHMMSS. Length was already checked
+         * (>= UTCTIME_LEN or >= GENTIME_LEN), so i+10 is in range. */
+        for (j = i; j < i + 10; j++) {
+            if (asn1TimeBuf[j] < '0' || asn1TimeBuf[j] > '9') {
+                WOLFSSL_MSG("Non-digit in ASN.1 TIME.");
+                ret = 0;
+                break;
+            }
+        }
+    }
+
+    if (ret == 1) {
         /* Fill in rest of broken-down time from string. */
         /* January is 0 not 1 */
         tm->tm_mon   = (asn1TimeBuf[i] - '0') * 10; i++;
