[tz] infinite loop in time2sub
Paul Eggert
eggert at cs.ucla.edu
Thu Aug 22 19:53:39 UTC 2013
On 08/22/13 11:35, enh wrote:
> looking at the Android AOSP git history, it looks like we found and
> fixed this bug years ago but never talked to upstream about it:
Thanks for the heads-up. If I understand all those patches aright,
the following patch (which I've pushed to the experimental github
repository) should fix things. I've fixed some other integer-overflow
issues in the past few months, but I missed this one (and there are
probably others I've missed).
>From 943a6621866e9d6e654f5cfe1494378c1fb8957a Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert at cs.ucla.edu>
Date: Thu, 22 Aug 2013 12:47:51 -0700
Subject: [PATCH] * localtime.c: Fix another integer overflow bug in mktime.
(time2sub): Avoid undefined behavior on time_t overflow.
Reported by Elliott Hughes in
<http://mm.icann.org/pipermail/tz/2013-August/019580.html>.
---
localtime.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/localtime.c b/localtime.c
index f58b20a..a0a4e5e 100644
--- a/localtime.c
+++ b/localtime.c
@@ -1789,14 +1789,14 @@ time2sub(struct tm *const tmp,
} else dir = tmcomp(&mytm, &yourtm);
if (dir != 0) {
if (t == lo) {
- ++t;
- if (t <= lo)
+ if (t == time_t_max)
return WRONG;
+ ++t;
++lo;
} else if (t == hi) {
- --t;
- if (t >= hi)
+ if (t == time_t_min)
return WRONG;
+ --t;
--hi;
}
if (lo > hi)
--
1.7.11.7
More information about the tz
mailing list