pool/glibc
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5005d4836d
glibc/strftime-range-check.patch
Andreas Schwab 5005d4836d Accepting request 359989 from home:Andreas_Schwab:Factory 
- tls-dtor-list-mangling.patch: Harden tls_dtor_list with pointer mangling
  (BZ #19018)
- prelink-elf-rtype-class.patch: Keep only ELF_RTYPE_CLASS_{PLT|COPY} bits
  for prelink (BZ #19178)
- vector-finite-math-aliases.patch: Better workaround for aliases of
  *_finite symbols in vector math library (BZ# 19058)
- powerpc-elision-adapt-param.patch: powerpc: Fix usage of elision
  transient failure adapt param (BZ #19174)
- catopen-unbound-alloca.patch: Fix unbound alloca in catopen
  (CVE-2015-8779, bsc#962739, BZ #17905)
- strftime-range-check.patch: Add range check on time fields
  (CVE-2015-8776, bsc#962736, BZ #18985)
- hcreate-overflow-check.patch: Handle overflow in hcreate (CVE-2015-8778,
  bsc#962737, BZ #18240)
- errorcheck-mutex-no-elision.patch: Don't do lock elision on an error
  checking mutex (bsc#956716, BZ #17514)
- refactor-nan-parsing.patch: Refactor strtod parsing of NaN payloads
  (CVE-2014-9761, bsc#962738, BZ #16962)
- send-dg-buffer-overflow.patch: Fix getaddrinfo stack-based buffer
  overflow (CVE-2015-7547, bsc#961721, BZ #18665)
- powerpc-lock-elision-race.patch: renamed from
  0001-powerpc-Fix-a-race-condition-when-eliding-a-lock-20150730.patch

OBS-URL: https://build.opensuse.org/request/show/359989
OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=421
2016-02-17 14:42:34 +00:00

127 lines
3.8 KiB
Diff
Raw Blame History

2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com>
[BZ #18985]
* time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check.
(__strftime_internal): Likewise.
* time/tst-strftime.c (do_bz18985): New test.
(do_test): Call it.
Index: glibc-2.22/time/strftime_l.c
===================================================================
--- glibc-2.22.orig/time/strftime_l.c
+++ glibc-2.22/time/strftime_l.c
@@ -510,13 +510,17 @@ __strftime_internal (s, maxsize, format,
only a few elements. Dereference the pointers only if the format
requires this. Then it is ok to fail if the pointers are invalid. */
# define a_wkday \
- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))
+ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)))
# define f_wkday \
- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))
+ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
+ ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)))
# define a_month \
- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))
+ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)))
# define f_month \
- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))
+ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
+ ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)))
# define ampm \
((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11 \
? NLW(PM_STR) : NLW(AM_STR)))
@@ -526,8 +530,10 @@ __strftime_internal (s, maxsize, format,
# define ap_len STRLEN (ampm)
#else
# if !HAVE_STRFTIME
-# define f_wkday (weekday_name[tp->tm_wday])
-# define f_month (month_name[tp->tm_mon])
+# define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6 \
+ ? "?" : weekday_name[tp->tm_wday])
+# define f_month (tp->tm_mon < 0 || tp->tm_mon > 11 \
+ ? "?" : month_name[tp->tm_mon])
# define a_wkday f_wkday
# define a_month f_month
# define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11))
@@ -1321,7 +1327,7 @@ __strftime_internal (s, maxsize, format,
*tzset_called = true;
}
# endif
- zone = tzname[tp->tm_isdst];
+ zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?";
}
#endif
if (! zone)
Index: glibc-2.22/time/tst-strftime.c
===================================================================
--- glibc-2.22.orig/time/tst-strftime.c
+++ glibc-2.22/time/tst-strftime.c
@@ -4,6 +4,56 @@
#include <time.h>
+static int
+do_bz18985 (void)
+{
+ char buf[1000];
+ struct tm ttm;
+ int rc, ret = 0;
+
+ memset (&ttm, 1, sizeof (ttm));
+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
+
+ if (rc == 66)
+ {
+ const char expected[]
+ = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?";
+ if (0 != strcmp (buf, expected))
+ {
+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
+ ret += 1;
+ }
+ }
+ else
+ {
+ printf ("expected 66, got %d\n", rc);
+ ret += 1;
+ }
+
+ /* Check negative values as well. */
+ memset (&ttm, 0xFF, sizeof (ttm));
+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
+
+ if (rc == 30)
+ {
+ const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899 ";
+ if (0 != strcmp (buf, expected))
+ {
+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
+ ret += 1;
+ }
+ }
+ else
+ {
+ printf ("expected 30, got %d\n", rc);
+ ret += 1;
+ }
+
+ return ret;
+}
+
static struct
{
const char *fmt;
@@ -104,7 +154,7 @@ do_test (void)
}
}
- return result;
+ return result + do_bz18985 ();
}
#define TEST_FUNCTION do_test ()
Reference in New Issue View Git Blame Copy Permalink