From dfd1d7a53153742b06318e0b55965ae93fafa70f Mon Sep 17 00:00:00 2001
From: Derick Rethans <github@derickrethans.nl>
Date: Fri, 20 May 2022 14:48:50 +0100
Subject: [PATCH 1/3] Fixed bug #76963 (Null-byte injection in
 createFromFormat)

---
 ext/date/php_date.c          |  6 +++---
 ext/date/tests/bug76963.phpt | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 3 deletions(-)
 create mode 100644 ext/date/tests/bug76963.phpt

diff --git a/ext/date/php_date.c b/ext/date/php_date.c
index 1b8b5700601..a79cd8c203f 100644
--- a/ext/date/php_date.c
+++ b/ext/date/php_date.c
@@ -2382,7 +2382,7 @@ PHP_FUNCTION(date_create_from_format)
 
 	ZEND_PARSE_PARAMETERS_START(2, 3)
 		Z_PARAM_STRING(format_str, format_str_len)
-		Z_PARAM_STRING(time_str, time_str_len)
+		Z_PARAM_PATH(time_str, time_str_len)
 		Z_PARAM_OPTIONAL
 		Z_PARAM_OBJECT_OF_CLASS_OR_NULL(timezone_object, date_ce_timezone)
 	ZEND_PARSE_PARAMETERS_END();
@@ -2404,7 +2404,7 @@ PHP_FUNCTION(date_create_immutable_from_format)
 
 	ZEND_PARSE_PARAMETERS_START(2, 3)
 		Z_PARAM_STRING(format_str, format_str_len)
-		Z_PARAM_STRING(time_str, time_str_len)
+		Z_PARAM_PATH(time_str, time_str_len)
 		Z_PARAM_OPTIONAL
 		Z_PARAM_OBJECT_OF_CLASS_OR_NULL(timezone_object, date_ce_timezone)
 	ZEND_PARSE_PARAMETERS_END();
@@ -2804,7 +2804,7 @@ PHP_FUNCTION(date_parse_from_format)
 
 	ZEND_PARSE_PARAMETERS_START(2, 2)
 		Z_PARAM_STR(format)
-		Z_PARAM_STR(date)
+		Z_PARAM_PATH_STR(date)
 	ZEND_PARSE_PARAMETERS_END();
 
 	parsed_time = timelib_parse_from_format(ZSTR_VAL(format), ZSTR_VAL(date), ZSTR_LEN(date), &error, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper);
diff --git a/ext/date/tests/bug76963.phpt b/ext/date/tests/bug76963.phpt
new file mode 100644
index 00000000000..af34409e7ee
--- /dev/null
+++ b/ext/date/tests/bug76963.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #76963 (Null-byte injection in CreateFromFormat and related functions)
+--FILE--
+<?php
+$strings = [
+	'8/8/2016',
+	"8/8/2016\0asf",
+];
+
+foreach ($strings as $string) {
+	echo "Covering string: ", htmlspecialchars( $string), "\n";
+
+	try {
+		$d1 = DateTime::createFromFormat('m/d/Y', $string);
+	} catch (ValueError $v) {
+		echo $v->getMessage(), "\n";
+	}
+
+	try {
+		$d2 = DateTimeImmutable::createFromFormat('m/d/Y', $string);
+	} catch (ValueError $v) {
+		echo $v->getMessage(), "\n";
+	}
+
+	try {
+		$d3 = date_parse_from_format('m/d/Y', $string);
+	} catch (ValueError $v) {
+		echo $v->getMessage(), "\n";
+	}
+
+	var_dump($d1, $d2, $d3);
+}

From 2dcd82162e822e189fea17ac2f88bb53e06023a1 Mon Sep 17 00:00:00 2001
From: Derick Rethans <github@derickrethans.nl>
Date: Fri, 20 May 2022 14:54:02 +0100
Subject: [PATCH 2/3] Fixed bug #72963 (Null-byte injection in CreateFromFormat
 and related functions)

---
 ext/date/tests/bug72963.phpt | 90 ++++++++++++++++++++++++++++++++++++
 ext/date/tests/bug76963.phpt | 32 -------------
 2 files changed, 90 insertions(+), 32 deletions(-)
 create mode 100644 ext/date/tests/bug72963.phpt
 delete mode 100644 ext/date/tests/bug76963.phpt

diff --git a/ext/date/tests/bug72963.phpt b/ext/date/tests/bug72963.phpt
new file mode 100644
index 00000000000..197f754a5a0
--- /dev/null
+++ b/ext/date/tests/bug72963.phpt
@@ -0,0 +1,90 @@
+--TEST--
+Bug #72963 (Null-byte injection in CreateFromFormat and related functions)
+--FILE--
+<?php
+$strings = [
+	'8/8/2016',
+	"8/8/2016\0asf",
+];
+
+foreach ($strings as $string) {
+	$d1 = $d2 = $d3 = NULL;
+	echo "\nCovering string: ", addslashes($string), "\n\n";
+
+	try {
+		$d1 = DateTime::createFromFormat('m/d/Y', $string);
+	} catch (ValueError $v) {
+		echo $v->getMessage(), "\n";
+	}
+
+	try {
+		$d2 = DateTimeImmutable::createFromFormat('m/d/Y', $string);
+	} catch (ValueError $v) {
+		echo $v->getMessage(), "\n";
+	}
+
+	try {
+		$d3 = date_parse_from_format('m/d/Y', $string);
+	} catch (ValueError $v) {
+		echo $v->getMessage(), "\n";
+	}
+
+	var_dump($d1, $d2, $d3);
+}
+?>
+--EXPECT--
+Covering string: 8/8/2016
+
+object(DateTime)#1 (3) {
+  ["date"]=>
+  string(26) "2016-08-08 13:52:31.000000"
+  ["timezone_type"]=>
+  int(3)
+  ["timezone"]=>
+  string(3) "UTC"
+}
+object(DateTimeImmutable)#2 (3) {
+  ["date"]=>
+  string(26) "2016-08-08 13:52:31.000000"
+  ["timezone_type"]=>
+  int(3)
+  ["timezone"]=>
+  string(3) "UTC"
+}
+array(12) {
+  ["year"]=>
+  int(2016)
+  ["month"]=>
+  int(8)
+  ["day"]=>
+  int(8)
+  ["hour"]=>
+  bool(false)
+  ["minute"]=>
+  bool(false)
+  ["second"]=>
+  bool(false)
+  ["fraction"]=>
+  bool(false)
+  ["warning_count"]=>
+  int(0)
+  ["warnings"]=>
+  array(0) {
+  }
+  ["error_count"]=>
+  int(0)
+  ["errors"]=>
+  array(0) {
+  }
+  ["is_localtime"]=>
+  bool(false)
+}
+
+Covering string: 8/8/2016\0asf
+
+DateTime::createFromFormat(): Argument #2 ($datetime) must not contain any null bytes
+DateTimeImmutable::createFromFormat(): Argument #2 ($datetime) must not contain any null bytes
+date_parse_from_format(): Argument #2 ($datetime) must not contain any null bytes
+NULL
+NULL
+NULL
diff --git a/ext/date/tests/bug76963.phpt b/ext/date/tests/bug76963.phpt
deleted file mode 100644
index af34409e7ee..00000000000
--- a/ext/date/tests/bug76963.phpt
+++ /dev/null
@@ -1,32 +0,0 @@
---TEST--
-Bug #76963 (Null-byte injection in CreateFromFormat and related functions)
---FILE--
-<?php
-$strings = [
-	'8/8/2016',
-	"8/8/2016\0asf",
-];
-
-foreach ($strings as $string) {
-	echo "Covering string: ", htmlspecialchars( $string), "\n";
-
-	try {
-		$d1 = DateTime::createFromFormat('m/d/Y', $string);
-	} catch (ValueError $v) {
-		echo $v->getMessage(), "\n";
-	}
-
-	try {
-		$d2 = DateTimeImmutable::createFromFormat('m/d/Y', $string);
-	} catch (ValueError $v) {
-		echo $v->getMessage(), "\n";
-	}
-
-	try {
-		$d3 = date_parse_from_format('m/d/Y', $string);
-	} catch (ValueError $v) {
-		echo $v->getMessage(), "\n";
-	}
-
-	var_dump($d1, $d2, $d3);
-}

From 209ea3ffc72f117e015912efdfc822d8146b4868 Mon Sep 17 00:00:00 2001
From: Derick Rethans <github@derickrethans.nl>
Date: Thu, 26 May 2022 14:30:22 +0100
Subject: [PATCH 3/3] Fixed tests

---
 ext/date/tests/bug72963.phpt | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ext/date/tests/bug72963.phpt b/ext/date/tests/bug72963.phpt
index 197f754a5a0..c44b78c6340 100644
--- a/ext/date/tests/bug72963.phpt
+++ b/ext/date/tests/bug72963.phpt
@@ -12,13 +12,13 @@ foreach ($strings as $string) {
 	echo "\nCovering string: ", addslashes($string), "\n\n";
 
 	try {
-		$d1 = DateTime::createFromFormat('m/d/Y', $string);
+		$d1 = DateTime::createFromFormat('!m/d/Y', $string);
 	} catch (ValueError $v) {
 		echo $v->getMessage(), "\n";
 	}
 
 	try {
-		$d2 = DateTimeImmutable::createFromFormat('m/d/Y', $string);
+		$d2 = DateTimeImmutable::createFromFormat('!m/d/Y', $string);
 	} catch (ValueError $v) {
 		echo $v->getMessage(), "\n";
 	}
@@ -37,7 +37,7 @@ Covering string: 8/8/2016
 
 object(DateTime)#1 (3) {
   ["date"]=>
-  string(26) "2016-08-08 13:52:31.000000"
+  string(26) "2016-08-08 00:00:00.000000"
   ["timezone_type"]=>
   int(3)
   ["timezone"]=>
@@ -45,7 +45,7 @@ object(DateTime)#1 (3) {
 }
 object(DateTimeImmutable)#2 (3) {
   ["date"]=>
-  string(26) "2016-08-08 13:52:31.000000"
+  string(26) "2016-08-08 00:00:00.000000"
   ["timezone_type"]=>
   int(3)
   ["timezone"]=>