[tz] infinite loop in time2sub

Paul Eggert eggert at cs.ucla.edu
Thu Aug 22 19:53:39 UTC 2013


On 08/22/13 11:35, enh wrote:

> looking at the Android AOSP git history, it looks like we found and
> fixed this bug years ago but never talked to upstream about it:

Thanks for the heads-up.  If I understand all those patches aright,
the following patch (which I've pushed to the experimental github
repository) should fix things.  I've fixed some other integer-overflow
issues in the past few months, but I missed this one (and there are
probably others I've missed).

>From 943a6621866e9d6e654f5cfe1494378c1fb8957a Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert at cs.ucla.edu>
Date: Thu, 22 Aug 2013 12:47:51 -0700
Subject: [PATCH] * localtime.c: Fix another integer overflow bug in mktime.

(time2sub): Avoid undefined behavior on time_t overflow.
Reported by Elliott Hughes in
<http://mm.icann.org/pipermail/tz/2013-August/019580.html>.
---
 localtime.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/localtime.c b/localtime.c
index f58b20a..a0a4e5e 100644
--- a/localtime.c
+++ b/localtime.c
@@ -1789,14 +1789,14 @@ time2sub(struct tm *const tmp,
 		} else	dir = tmcomp(&mytm, &yourtm);
 		if (dir != 0) {
 			if (t == lo) {
-				++t;
-				if (t <= lo)
+				if (t == time_t_max)
 					return WRONG;
+				++t;
 				++lo;
 			} else if (t == hi) {
-				--t;
-				if (t >= hi)
+				if (t == time_t_min)
 					return WRONG;
+				--t;
 				--hi;
 			}
 			if (lo > hi)
-- 
1.7.11.7





More information about the tz mailing list