core dump from within asctime_r()

Robert Elz kre at munnari.OZ.AU
Sun Jan 31 03:53:37 UTC 2010


    Date:        Sat, 30 Jan 2010 21:22:41 +0000 (UTC)
    From:        Edwin Groothuis <edwin at mavetju.org>
    Message-ID:  <loom.20100130T221814-351 at post.gmane.org>

  | I don't know if these are FreeBSD specific,

They aren't.

  |  but the following ones take the
  | "struct tm *" without checking the values neither:
  | 
  | * time1() via mktime(), gmtime().

Those are OK, that "struct tm" comes from the user, if the user wants their
program to crash, they can pass in any bogus value they want.

The only internal calls of those functions I can see (eg: from in strftime())
never pass a NULL value in (since the struct tm there is the starting point,
it is typically explicitly allocated (declared as a variable) rather than
obtained from one of the other functions).

  | * asctime_r().

Yes, that's the one (the asctime() variant interface isn't interesting
itself) - technically asctime() (or asctime_r()) shouldn't need to verify
its input parameters either - it is only because it is called internally
that makes me suggest it (and which is why the problem could also be
fixed in ctime()).

I'm suggesting adding this check into asctime() (into asctime_r() really
of course) because code like is in ctime() has been a programming idiom
on unix systems for almost 40 years now - there will be lots of code that
simply assumes that localtime() (etc) cannot fail, and so does
	asctime(localtime(&t))
or similar.

kre




More information about the tz mailing list