From c98100429071a2dca3191c0d0dfa17cd64fcdda2 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Sun, 14 Nov 2021 09:39:59 -0500
Subject: [PATCH] Fix a panic from an unchecked string slice.

When slicing a string, you get a panic if you do so at any point
other than at a character boundary.  This happened in the
implementation of UTCTime parsing.

This bug was introduced in bc156c36d76d91b77cdf8f1f231e2c554ea0e454,
and appears to affect only version 0.6.0.

I've tried using the clippy::string_slice lint to confirm that there
are not any other string slices in this code.

Fixes bug #27.  Found via fuzzing.
---
 src/lib.rs | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/lib.rs b/src/lib.rs
index af2c3dc..a7e7495 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -505,7 +505,13 @@ fn from_der_(i: &[u8], start_offset: usize) -> Result<Vec<ASN1Block>, ASN1Decode
 
                 let v = String::from_iter(body.iter().map(|x| *x as char));
 
-                let y = &v[0..2];
+                let y = match v.get(0..2) {
+                    Some(yy) => yy,
+                    None => {
+                        // This wasn't a valid character boundrary.
+                        return Err(ASN1DecodeErr::InvalidDateValue(v));
+                    }
+                };
 
                 let y_prefix = match y.parse::<u8>() {
                     Err(_) => return Err(ASN1DecodeErr::InvalidDateValue(v)),
@@ -1438,6 +1444,15 @@ mod tests {
         Ok(vec![ASN1Block::Integer(0, val)])
     }
 
+    #[test]
+    fn utc_time_tests() {
+        // Check for a regression against issue #27, in which this would
+        // cause a panic.
+        let input = [55, 13, 13, 133, 13, 13, 50, 13, 13, 133, 13, 13, 50, 13, 133];
+        let output = from_der(&input);
+        assert!(output.is_err());
+    }
+
     #[test]
     fn generalized_time_tests() {
         check_spec(
-- 
2.53.0