From f53bc740c1c4b845f3628e510577f9d56d96a0eb Mon Sep 17 00:00:00 2001
From: Cameron Moore <moorereason@gmail.com>
Date: Thu, 2 Dec 2021 17:59:32 -0600
Subject: [PATCH] Decode: restrict timezone offset values (#696)

Don't allow hours greater than 24 and minutes greater than 60 per RFC
3339.
---
 decode.go           | 7 +++++++
 unmarshaler_test.go | 8 ++++++++
 2 files changed, 15 insertions(+)

diff --git a/decode.go b/decode.go
index e89f23d..e18b911 100644
--- a/decode.go
+++ b/decode.go
@@ -117,10 +117,17 @@ func parseDateTime(b []byte) (time.Time, error) {
 		if err != nil {
 			return time.Time{}, err
 		}
+		if hours > 24 {
+			return time.Time{}, newDecodeError(b[:1], "invalid timezone offset hours")
+		}
+
 		minutes, err := parseDecimalDigits(b[4:6])
 		if err != nil {
 			return time.Time{}, err
 		}
+		if minutes > 60 {
+			return time.Time{}, newDecodeError(b[:1], "invalid timezone offset minutes")
+		}
 
 		seconds := direction * (hours*3600 + minutes*60)
 		zone = time.FixedZone("", seconds)
diff --git a/unmarshaler_test.go b/unmarshaler_test.go
index d6bd268..076a441 100644
--- a/unmarshaler_test.go
+++ b/unmarshaler_test.go
@@ -2632,6 +2632,14 @@ world'`,
 			desc: `invalid number of seconds digits with trailing digit`,
 			data: `a=0000-01-01 00:00:000000Z3`,
 		},
+		{
+			desc: `invalid zone offset hours`,
+			data: `a=0000-01-01 00:00:00+25:00`,
+		},
+		{
+			desc: `invalid zone offset minutes`,
+			data: `a=0000-01-01 00:00:00+00:61`,
+		},
 		{
 			desc: `invalid character in zone offset hours`,
 			data: `a=0000-01-01 00:00:00+0Z:00`,