[tz] Bad 32 bit data in 2018f
Daniel Fischer
daniel.fischer at oracle.com
Thu Oct 25 15:38:25 UTC 2018
Paul,
> Please try the attached patch, which I installed into the development version on GitHub.
The patch does fix my problem.
But if the Qt workaround is disabled, there's a buffer overrun now.
> + while (0 < timecnt32 && INT32_MAX < ats[timecnt32 - 1])
> --timecnt32;
> + while (0 < timecnt32 && ats[timei32] < INT32_MIN) {
> --timecnt32;
> ++timei32;
> }
For a zone like Atlantic/South_Georgia, one transition before 1901, no fake 2038 transition:
timei32 == 1
timecnt32 == 0
Later, this read from ats[1] is out of bounds:
> if (timei32 > 0 && ats[timei32] > INT32_MIN) {
For a quick test, something like this should trigger asan in a fresh clone from github:
sed -ibak 's/\(WORK_AROUND_QTBUG_53071 = \)true/\1false/' zic.c
make CFLAGS=-fsanitize=address
echo -e "Zone foo 0:0 - -0 1890\n0:0 - -0" | ./zic -d foo -
NB, the allocation of ats as nats * 9 byte at the start of writezone() might not be as intended:
> zic_t *ats = emalloc(size_product(nats, sizeof *ats + 1));
Danny
--
Daniel Fischer
ORACLE Deutschland B.V. & Co. KG, Riesstr. 25, 80992 München - HRA MUC 95603
Komplementaer: ORACLE DE Verw.B.V., Hertogswetering 163/167, 3543 AS Utrecht
Geschaeftsfuehrer: Alexander van der Ven, Jan Schultheiss, Val Maher NL
More information about the tz
mailing list