[tz] [PROPOSED 4/6] Improve integer overflow checking in zdump
Paul Eggert
eggert at cs.ucla.edu
Sun Nov 20 05:47:58 UTC 2022
* zdump.c (size_overflow): New function.
(sumsize): Use it.
(sumsize, tzalloc): Don’t allow sizes greater than PTRDIFF_MAX,
as they’re trouble on many platforms.
(tzalloc, saveabbr, main, hunt, format_local_time)
(format_utc_offset, format_quoted_string, istrftime, showtrans):
Prefer ptrdiff_t to size_t where either will do, as we can
get better runtime overflow checking with signed types.
(istrftime): Check for size overflow when adding 2 (!).
---
zdump.c | 60 +++++++++++++++++++++++++++++++++------------------------
1 file changed, 35 insertions(+), 25 deletions(-)
diff --git a/zdump.c b/zdump.c
index a05b878..669d8fd 100644
--- a/zdump.c
+++ b/zdump.c
@@ -125,16 +125,24 @@ is_alpha(char a)
}
}
-/* Return A + B, exiting if the result would overflow. */
-static size_t
-sumsize(size_t a, size_t b)
+static _Noreturn void
+size_overflow(void)
{
- if (SIZE_MAX - a < b)
- return a + b;
fprintf(stderr, _("%s: size overflow\n"), progname);
exit(EXIT_FAILURE);
}
+/* Return A + B, exiting if the result would overflow either ptrdiff_t
+ or size_t. */
+static ATTRIBUTE_PURE ptrdiff_t
+sumsize(size_t a, size_t b)
+{
+ ptrdiff_t sum_max = min(PTRDIFF_MAX, SIZE_MAX);
+ if (a <= sum_max && b <= sum_max - a)
+ return a + b;
+ size_overflow();
+}
+
/* Return a pointer to a newly allocated buffer of size SIZE, exiting
on failure. SIZE should be nonzero. */
static void * ATTRIBUTE_MALLOC
@@ -237,17 +245,19 @@ tzalloc(char const *val)
enum { TZeqlen = 3 };
static char const TZeq[TZeqlen] = "TZ=";
static char **fakeenv;
- static size_t fakeenv0size;
+ static ptrdiff_t fakeenv0size;
void *freeable = NULL;
char **env = fakeenv, **initial_environ;
size_t valsize = strlen(val) + 1;
if (fakeenv0size < valsize) {
char **e = environ, **to;
- ptrdiff_t initial_nenvptrs; /* Counting the trailing NULL pointer. */
+ ptrdiff_t initial_nenvptrs = 1; /* Counting the trailing NULL pointer. */
- while (*e++)
- continue;
- initial_nenvptrs = e - environ;
+ while (*e++) {
+ if (initial_nenvptrs == min(PTRDIFF_MAX, SIZE_MAX) / sizeof *environ)
+ size_overflow();
+ initial_nenvptrs++;
+ }
fakeenv0size = sumsize(valsize, valsize);
fakeenv0size = max(fakeenv0size, 64);
freeable = env;
@@ -383,7 +393,7 @@ abbrok(const char *const abbrp, const char *const zone)
return the abbreviation. Get the abbreviation from TMP.
Exit on memory allocation failure. */
static char const *
-saveabbr(char **buf, size_t *bufalloc, struct tm const *tmp)
+saveabbr(char **buf, ptrdiff_t *bufalloc, struct tm const *tmp)
{
char const *ab = abbr(tmp);
if (HAVE_LOCALTIME_RZ)
@@ -440,7 +450,7 @@ main(int argc, char *argv[])
{
/* These are static so that they're initially zero. */
static char * abbrev;
- static size_t abbrevsize;
+ static ptrdiff_t abbrevsize;
register int i;
register bool vflag;
@@ -696,7 +706,7 @@ static time_t
hunt(timezone_t tz, char *name, time_t lot, time_t hit, bool only_ok)
{
static char * loab;
- static size_t loabsize;
+ static ptrdiff_t loabsize;
struct tm lotm;
struct tm tm;
@@ -935,7 +945,7 @@ my_snprintf(char *s, size_t size, char const *format, ...)
fit, return the length that the string would have been if it had
fit; do not overrun the output buffer. */
static int
-format_local_time(char *buf, size_t size, struct tm const *tm)
+format_local_time(char *buf, ptrdiff_t size, struct tm const *tm)
{
int ss = tm->tm_sec, mm = tm->tm_min, hh = tm->tm_hour;
return (ss
@@ -958,7 +968,7 @@ format_local_time(char *buf, size_t size, struct tm const *tm)
the length that the string would have been if it had fit; do not
overrun the output buffer. */
static int
-format_utc_offset(char *buf, size_t size, struct tm const *tm, time_t t)
+format_utc_offset(char *buf, ptrdiff_t size, struct tm const *tm, time_t t)
{
long off = gmtoff(tm, &t, NULL);
char sign = ((off < 0
@@ -987,11 +997,11 @@ format_utc_offset(char *buf, size_t size, struct tm const *tm, time_t t)
If the representation's length is less than SIZE, return the
length; the representation is not null terminated. Otherwise
return SIZE, to indicate that BUF is too small. */
-static size_t
-format_quoted_string(char *buf, size_t size, char const *p)
+static ptrdiff_t
+format_quoted_string(char *buf, ptrdiff_t size, char const *p)
{
char *b = buf;
- size_t s = size;
+ ptrdiff_t s = size;
if (!s)
return size;
*b++ = '"', s--;
@@ -1029,11 +1039,11 @@ format_quoted_string(char *buf, size_t size, char const *p)
and omit any trailing tabs. */
static bool
-istrftime(char *buf, size_t size, char const *time_fmt,
+istrftime(char *buf, ptrdiff_t size, char const *time_fmt,
struct tm const *tm, time_t t, char const *ab, char const *zone_name)
{
char *b = buf;
- size_t s = size;
+ ptrdiff_t s = size;
char const *f = time_fmt, *p;
for (p = f; ; p++)
@@ -1042,9 +1052,9 @@ istrftime(char *buf, size_t size, char const *time_fmt,
else if (!*p
|| (*p == '%'
&& (p[1] == 'f' || p[1] == 'L' || p[1] == 'Q'))) {
- size_t formatted_len;
- size_t f_prefix_len = p - f;
- size_t f_prefix_copy_size = p - f + 2;
+ ptrdiff_t formatted_len;
+ ptrdiff_t f_prefix_len = p - f;
+ ptrdiff_t f_prefix_copy_size = sumsize(f_prefix_len, 2);
char fbuf[100];
bool oversized = sizeof fbuf <= f_prefix_copy_size;
char *f_prefix_copy = oversized ? xmalloc(f_prefix_copy_size) : fbuf;
@@ -1076,7 +1086,7 @@ istrftime(char *buf, size_t size, char const *time_fmt,
b += offlen, s -= offlen;
if (show_abbr) {
char const *abp;
- size_t len;
+ ptrdiff_t len;
if (s <= 1)
return false;
*b++ = '\t', s--;
@@ -1115,7 +1125,7 @@ showtrans(char const *time_fmt, struct tm const *tm, time_t t, char const *ab,
putchar('\n');
} else {
char stackbuf[1000];
- size_t size = sizeof stackbuf;
+ ptrdiff_t size = sizeof stackbuf;
char *buf = stackbuf;
char *bufalloc = NULL;
while (! istrftime(buf, size, time_fmt, tm, t, ab, zone_name)) {
--
2.38.1
More information about the tz
mailing list