public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug time/18985] New: Passing out of range data to strftime() causes a segfault
@ 2015-09-20 2:02 a.nielsen at shikadi dot net
2015-09-20 2:19 ` [Bug time/18985] " ppluzhnikov at google dot com
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: a.nielsen at shikadi dot net @ 2015-09-20 2:02 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18985
Bug ID: 18985
Summary: Passing out of range data to strftime() causes a
segfault
Product: glibc
Version: 2.22
Status: NEW
Severity: normal
Priority: P2
Component: time
Assignee: unassigned at sourceware dot org
Reporter: a.nielsen at shikadi dot net
Target Milestone: ---
Created attachment 8620
--> https://sourceware.org/bugzilla/attachment.cgi?id=8620&action=edit
Test case for printing an out-of-range month name
If you pass out-of-range data to the strftime() function, it will access
invalid memory and cause the calling application to crash.
You can reproduce this error by setting an out-of-range value for the
month, and then supplying a format specifier for the month name. I have
attached a test case demonstrating this.
I think it would be better for strftime() to return 0, an error, or just a
blank in the output string rather than crashing. As Mike Frysinger pointed out
on the mailing list, POSIX says "If any of the specified values are outside the
normal range, the characters stored are unspecified." There is no mention of a
crash.
This is the mailing list thread where this bug was discussed:
https://sourceware.org/ml/libc-help/2015-07/msg00025.html
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug time/18985] Passing out of range data to strftime() causes a segfault
2015-09-20 2:02 [Bug time/18985] New: Passing out of range data to strftime() causes a segfault a.nielsen at shikadi dot net
@ 2015-09-20 2:19 ` ppluzhnikov at google dot com
2015-09-20 2:22 ` ppluzhnikov at google dot com
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: ppluzhnikov at google dot com @ 2015-09-20 2:19 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18985
Paul Pluzhnikov <ppluzhnikov at google dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ppluzhnikov at google dot com
Assignee|unassigned at sourceware dot org |ppluzhnikov at google dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug time/18985] Passing out of range data to strftime() causes a segfault
2015-09-20 2:02 [Bug time/18985] New: Passing out of range data to strftime() causes a segfault a.nielsen at shikadi dot net
2015-09-20 2:19 ` [Bug time/18985] " ppluzhnikov at google dot com
@ 2015-09-20 2:22 ` ppluzhnikov at google dot com
2015-09-21 9:56 ` fweimer at redhat dot com
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: ppluzhnikov at google dot com @ 2015-09-20 2:22 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18985
--- Comment #1 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
The crash:
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x00007ffff7d085b4 in __strftime_internal (s=<optimized out>, maxsize=200,
format=<optimized out>, tp=0x7fffffffe0e0,
tzset_called=tzset_called@entry=0x7fffffffe0bf, loc=0x7ffff7ff7440
<_nl_global_locale>) at strftime_l.c:794
#2 0x00007ffff7d097f6 in __GI___strftime_l (s=<optimized out>,
maxsize=<optimized out>, format=<optimized out>, tp=<optimized out>,
loc=<optimized out>) at strftime_l.c:482
There is absolutely no input validation in __strftime_internal, it just blindly
uses
weekday_name[tp->tm_wday]
month_name[tp->tm_mon]
etc.
Seems like it would be pretty easy to fix.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug time/18985] Passing out of range data to strftime() causes a segfault
2015-09-20 2:02 [Bug time/18985] New: Passing out of range data to strftime() causes a segfault a.nielsen at shikadi dot net
2015-09-20 2:19 ` [Bug time/18985] " ppluzhnikov at google dot com
2015-09-20 2:22 ` ppluzhnikov at google dot com
@ 2015-09-21 9:56 ` fweimer at redhat dot com
2015-09-26 20:29 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: fweimer at redhat dot com @ 2015-09-21 9:56 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18985
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security?
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug time/18985] Passing out of range data to strftime() causes a segfault
2015-09-20 2:02 [Bug time/18985] New: Passing out of range data to strftime() causes a segfault a.nielsen at shikadi dot net
` (2 preceding siblings ...)
2015-09-21 9:56 ` fweimer at redhat dot com
@ 2015-09-26 20:29 ` cvs-commit at gcc dot gnu.org
2015-09-26 20:30 ` ppluzhnikov at google dot com
2015-10-29 17:09 ` jsm28 at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-09-26 20:29 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18985
--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via d36c75fc0d44deec29635dd239b0fbd206ca49b7 (commit)
from fa752c698146ca3e9f7747d33059fbef9bb02b0e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7
commit d36c75fc0d44deec29635dd239b0fbd206ca49b7
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Sat Sep 26 13:27:48 2015 -0700
Fix BZ #18985 -- out of range data to strftime() causes a segfault
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 8 +++++++
NEWS | 2 +-
time/strftime_l.c | 20 ++++++++++++------
time/tst-strftime.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++-
4 files changed, 73 insertions(+), 9 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug time/18985] Passing out of range data to strftime() causes a segfault
2015-09-20 2:02 [Bug time/18985] New: Passing out of range data to strftime() causes a segfault a.nielsen at shikadi dot net
` (3 preceding siblings ...)
2015-09-26 20:29 ` cvs-commit at gcc dot gnu.org
@ 2015-09-26 20:30 ` ppluzhnikov at google dot com
2015-10-29 17:09 ` jsm28 at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: ppluzhnikov at google dot com @ 2015-09-26 20:30 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18985
Paul Pluzhnikov <ppluzhnikov at google dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
Fixed in trunk.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug time/18985] Passing out of range data to strftime() causes a segfault
2015-09-20 2:02 [Bug time/18985] New: Passing out of range data to strftime() causes a segfault a.nielsen at shikadi dot net
` (4 preceding siblings ...)
2015-09-26 20:30 ` ppluzhnikov at google dot com
@ 2015-10-29 17:09 ` jsm28 at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2015-10-29 17:09 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18985
Joseph Myers <jsm28 at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |2.23
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-10-29 17:09 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-09-20 2:02 [Bug time/18985] New: Passing out of range data to strftime() causes a segfault a.nielsen at shikadi dot net
2015-09-20 2:19 ` [Bug time/18985] " ppluzhnikov at google dot com
2015-09-20 2:22 ` ppluzhnikov at google dot com
2015-09-21 9:56 ` fweimer at redhat dot com
2015-09-26 20:29 ` cvs-commit at gcc dot gnu.org
2015-09-26 20:30 ` ppluzhnikov at google dot com
2015-10-29 17:09 ` jsm28 at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).