Fix bug #67251 - date_parse_from_format out-of-bounds read

Conflicts:
	ext/date/lib/parse_date.c
	ext/date/lib/parse_date.re

Author: smalyshev

ext/date/lib/parse_date.c

@@ -25121,7 +25121,11 @@ timelib_time *timelib_parse_from_format(char *format, char *string, int len, tim
 				break;
 
 			case '\\': /* escaped char */
-				*fptr++;
+                if(!fptr[1]) {
+				    add_pbf_error(s, "Escaped character expected", string, begin);
+                    break;
+                }
+				fptr++;
 				if (*ptr == *fptr) {
 					++ptr;
 				} else {

ext/date/lib/parse_date.re

@@ -2128,7 +2128,11 @@ timelib_time *timelib_parse_from_format(char *format, char *string, int len, tim
 				break;
 
 			case '\\': /* escaped char */
-				*fptr++;
+                if(!fptr[1]) {
+				    add_pbf_error(s, "Escaped character expected", string, begin);
+                    break;
+                }
+				fptr++;
 				if (*ptr == *fptr) {
 					++ptr;
 				} else {

ext/date/tests/bug67251.phpt

@@ -0,0 +1,38 @@
+--TEST--
+Bug #67251 (date_parse_from_format out-of-bounds read)
+--INI--
+date.timezone=Europe/Berlin
+--FILE--
+<?php
+var_dump(date_parse_from_format("\\","AAAABBBB"));
+--EXPECT--
+array(12) {
+  ["year"]=>
+  bool(false)
+  ["month"]=>
+  bool(false)
+  ["day"]=>
+  bool(false)
+  ["hour"]=>
+  bool(false)
+  ["minute"]=>
+  bool(false)
+  ["second"]=>
+  bool(false)
+  ["fraction"]=>
+  bool(false)
+  ["warning_count"]=>
+  int(0)
+  ["warnings"]=>
+  array(0) {
+  }
+  ["error_count"]=>
+  int(2)
+  ["errors"]=>
+  array(1) {
+    [0]=>
+    string(13) "Trailing data"
+  }
+  ["is_localtime"]=>
+  bool(false)
+}