[tz] Bad 32 bit data in 2018f

Daniel Fischer daniel.fischer at oracle.com
Thu Oct 25 15:38:25 UTC 2018


Paul,

> Please try the attached patch, which I installed into the development version on GitHub.

The patch does fix my problem.

But if the Qt workaround is disabled, there's a buffer overrun now.


> +       while (0 < timecnt32 && INT32_MAX < ats[timecnt32 - 1])
>                 --timecnt32;
> +       while (0 < timecnt32 && ats[timei32] < INT32_MIN) {
>                 --timecnt32;
>                 ++timei32;
>         }


For a zone like Atlantic/South_Georgia, one transition before 1901, no fake 2038 transition:

timei32 == 1
timecnt32 == 0

Later, this read from ats[1] is out of bounds:

>     if (timei32 > 0 && ats[timei32] > INT32_MIN) {



For a quick test, something like this should trigger asan in a fresh clone from github:

    sed -ibak 's/\(WORK_AROUND_QTBUG_53071 = \)true/\1false/' zic.c
    make CFLAGS=-fsanitize=address
    echo -e "Zone foo 0:0 - -0 1890\n0:0 - -0" | ./zic -d foo -



NB, the allocation of ats as nats * 9 byte at the start of writezone() might not be as intended:

> zic_t *ats = emalloc(size_product(nats, sizeof *ats + 1));





Danny

-- 
Daniel Fischer 
ORACLE Deutschland B.V. & Co. KG, Riesstr. 25, 80992 München - HRA MUC 95603
Komplementaer: ORACLE DE Verw.B.V., Hertogswetering 163/167, 3543 AS Utrecht
Geschaeftsfuehrer: Alexander van der Ven, Jan Schultheiss, Val Maher      NL



More information about the tz mailing list