This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[patch] Fix BZ 18985 out of bounds access in strftime
- From: Paul Pluzhnikov <ppluzhnikov at gmail dot com>
- To: GLIBC Devel <libc-alpha at sourceware dot org>
- Cc: Paul Pluzhnikov <ppluzhnikov at google dot com>, Martin Sebor <msebor at gmail dot com>
- Date: Sat, 19 Sep 2015 20:14:34 -0700
- Subject: [patch] Fix BZ 18985 out of bounds access in strftime
- Authentication-results: sourceware.org; auth=none
Greetings,
If the general direction of this patch is agreeable, I will add a test
case and send a formal patch.
Thanks,
diff --git a/time/strftime_l.c b/time/strftime_l.c
index b48ef34..6a64b8a 100644
--- a/time/strftime_l.c
+++ b/time/strftime_l.c
@@ -40,6 +40,7 @@
#endif
#include <ctype.h>
+#include <errno.h>
#include <sys/types.h> /* Some systems define `time_t' here. */
#ifdef TIME_WITH_SYS_TIME
@@ -497,6 +498,20 @@ __strftime_internal (s, maxsize, format, tp,
tzset_called ut_argument
ut_argument_spec
LOCALE_PARAM_DECL
{
+ /* Do range checks first. BZ #18985 */
+ if (tp->tm_sec < 0 || tp->tm_sec > 60
+ || tp->tm_min < 0 || tp->tm_min > 59
+ || tp->tm_hour < 0 || tp->tm_hour > 23
+ || tp->tm_mday < 0 || tp->tm_mday > 31
+ || tp->tm_mon < 0 || tp->tm_mon > 11
+ || tp->tm_wday < 0 || tp->tm_wday > 6
+ || tp->tm_yday < 0 || tp->tm_yday > 365
+ || tp->tm_isdst < 0 || tp->tm_isdst > 1)
+ {
+ __set_errno (EINVAL);
+ return 0;
+ }
+
#if defined _LIBC && defined USE_IN_EXTENDED_LOCALE_MODEL
struct __locale_data *const current = loc->__locales[LC_TIME];
#endif
--
Paul Pluzhnikov