This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [patch] Fix BZ 18985 out of bounds access in strftime

From: Martin Sebor <msebor at gmail dot com>
To: Paul Pluzhnikov <ppluzhnikov at google dot com>, Paul Eggert <eggert at cs dot ucla dot edu>, GLIBC Devel <libc-alpha at sourceware dot org>
Date: Sun, 20 Sep 2015 19:58:54 -0600
Subject: Re: [patch] Fix BZ 18985 out of bounds access in strftime
Authentication-results: sourceware.org; auth=none
References: <CAPC3xao-5YF_icBWE5yYbaYiUmiAvmb7w9s_G-dqawsx7eoTkQ at mail dot gmail dot com> <55FE5473 dot 7030305 at cs dot ucla dot edu> <CALoOobOWfPWuwtw_XgcTKx2yn=p3YbB04_B965zKRCkC1qsPjQ at mail dot gmail dot com> <55FEFD47 dot 4090401 at cs dot ucla dot edu> <CALoOobMOFtQVcCK4bR3VpeLMoj4bXVa12GAk0CjP6MMxuQU+Fw at mail dot gmail dot com> <20150920231004 dot GC7802 at vapier dot lan>

On 09/20/2015 05:10 PM, Mike Frysinger wrote:

On 20 Sep 2015 11:45, Paul Pluzhnikov wrote:

On Sun, Sep 20, 2015 at 11:39 AM, Paul Eggert wrote:

    tp->tm_hour = 1024;
    strftime(..., "%H %I", tp);  // produces "1024 04"

that doesn't seem very desirable.


That helps the programmer more than returning 0 would.


Yes, you convinced me that returning 0 is the wrong thing to do.

The remaining question was whether tm_hour==1024 should map to "1024"
or to "?". Your other example suggests that "1024" is more useful.


as i mentioned in the previous thread, i think dumping more details would
be nicer, and still permissible by the standard.  using tm_hour=1024, we
might have something like:

$ cat test.c
#include <stdio.h>
#include <string.h>
#include <time.h>
int main()
{
	char buf[1024];
	struct tm tm;
	memset(&tm, 0, sizeof(tm));
	tm.tm_hour = 1024;
	size_t ret = strftime(buf, sizeof(buf), "%H %I", &tm);
	printf("buf = %s\n", buf);
}

$ ./a.out
buf = INVALID<H/tm_hour=1024> 1012


This approach will cause the function to exceed the size of
the destination buffer when it's sized just right for valid
input. This will then lead to two failure modes for the same
problem: strftime producing "<INVALID>" for invalid input,
and returning zero for the same invalid input, depending on
the size of the destination buffer.

Martin


i'm not set on any particular structured format ... just including more
details to make it overly obvious where the problem lies.
-mike

References:
- [patch] Fix BZ 18985 out of bounds access in strftime
  - From: Paul Pluzhnikov
- Re: [patch] Fix BZ 18985 out of bounds access in strftime
  - From: Paul Eggert
- Re: [patch] Fix BZ 18985 out of bounds access in strftime
  - From: Paul Pluzhnikov
- Re: [patch] Fix BZ 18985 out of bounds access in strftime
  - From: Paul Eggert
- Re: [patch] Fix BZ 18985 out of bounds access in strftime
  - From: Paul Pluzhnikov
- Re: [patch] Fix BZ 18985 out of bounds access in strftime
  - From: Mike Frysinger

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]