about summary refs log tree commit diff
path: root/time
diff options
context:
space:
mode:
authorFlorian Weimer <fweimer@redhat.com>2015-04-24 17:34:47 +0200
committerFlorian Weimer <fweimer@redhat.com>2015-04-24 17:34:48 +0200
commit42261ad731991df345880b0b509d83b0b9a9b9d8 (patch)
tree440bf43dca45a9002402ec602f0deaf3bfa6e3e3 /time
parented159672eb3cd650a32b7e5cb4d5ec1fe0e63802 (diff)
downloadglibc-42261ad731991df345880b0b509d83b0b9a9b9d8.tar.gz
glibc-42261ad731991df345880b0b509d83b0b9a9b9d8.tar.xz
glibc-42261ad731991df345880b0b509d83b0b9a9b9d8.zip
Make time zone file parser more robust [BZ #17715]
Diffstat (limited to 'time')
-rw-r--r--time/tzfile.c15
-rw-r--r--time/tzset.c401
2 files changed, 209 insertions, 207 deletions
diff --git a/time/tzfile.c b/time/tzfile.c
index bcb408fcdb..46d4fc71ae 100644
--- a/time/tzfile.c
+++ b/time/tzfile.c
@@ -200,6 +200,9 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
   num_isstd = (size_t) decode (tzhead.tzh_ttisstdcnt);
   num_isgmt = (size_t) decode (tzhead.tzh_ttisgmtcnt);
 
+  if (__glibc_unlikely (num_isstd > num_types || num_isgmt > num_types))
+    goto lose;
+
   /* For platforms with 64-bit time_t we use the new format if available.  */
   if (sizeof (time_t) == 8 && trans_width == 4
       && tzhead.tzh_version[0] != '\0')
@@ -434,13 +437,21 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
 	goto lose;
 
       tzspec_len = st.st_size - off - 1;
-      char *tzstr = alloca (tzspec_len);
+      if (tzspec_len == 0)
+	goto lose;
+      char *tzstr = malloc (tzspec_len);
+      if (tzstr == NULL)
+	goto lose;
       if (getc_unlocked (f) != '\n'
 	  || (__fread_unlocked (tzstr, 1, tzspec_len - 1, f)
 	      != tzspec_len - 1))
-	goto lose;
+	{
+	  free (tzstr);
+	  goto lose;
+	}
       tzstr[tzspec_len - 1] = '\0';
       tzspec = __tzstring (tzstr);
+      free (tzstr);
     }
 
   /* Don't use an empty TZ string.  */
diff --git a/time/tzset.c b/time/tzset.c
index 82324ca980..d115bae0be 100644
--- a/time/tzset.c
+++ b/time/tzset.c
@@ -18,6 +18,7 @@
 #include <ctype.h>
 #include <errno.h>
 #include <bits/libc-lock.h>
+#include <stdbool.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -82,15 +83,14 @@ struct tzstring_l
 
 static struct tzstring_l *tzstring_list;
 
-/* Allocate a permanent home for S.  It will never be moved or deallocated,
-   but may share space with other strings.
-   Don't modify the returned string. */
-char *
-__tzstring (const char *s)
+/* Allocate a permanent home for the first LEN characters of S.  It
+   will never be moved or deallocated, but may share space with other
+   strings.  Don't modify the returned string. */
+static char *
+__tzstring_len (const char *s, size_t len)
 {
   char *p;
   struct tzstring_l *t, *u, *new;
-  size_t len = strlen (s);
 
   /* Walk the list and look for a match.  If this string is the same
      as the end of an already-allocated string, it can share space. */
@@ -98,7 +98,7 @@ __tzstring (const char *s)
     if (len <= t->len)
       {
 	p = &t->data[t->len - len];
-	if (strcmp (s, p) == 0)
+	if (memcmp (s, p, len) == 0)
 	  return p;
       }
 
@@ -109,7 +109,8 @@ __tzstring (const char *s)
 
   new->next = NULL;
   new->len = len;
-  strcpy (new->data, s);
+  memcpy (new->data, s, len);
+  new->data[len] = '\0';
 
   if (u)
     u->next = new;
@@ -118,6 +119,15 @@ __tzstring (const char *s)
 
   return new->data;
 }
+
+/* Allocate a permanent home for S.  It will never be moved or
+   deallocated, but may share space with other strings.  Don't modify
+   the returned string. */
+char *
+__tzstring (const char *s)
+{
+  return __tzstring_len (s, strlen (s));
+}
 
 /* Maximum length of a timezone name.  tzset_internal keeps this up to date
    (never decreasing it) when ! __use_tzfile.
@@ -164,234 +174,215 @@ compute_offset (unsigned int ss, unsigned int mm, unsigned int hh)
   return min (ss, 59) + min (mm, 59) * 60 + min (hh, 24) * 60 * 60;
 }
 
-
-/* Parse the POSIX TZ-style string.  */
-void
-__tzset_parse_tz (tz)
-     const char *tz;
+/* Parses the time zone name at *TZP, and writes a pointer to an
+   interned string to tz_rules[WHICHRULE].name.  On success, advances
+   *TZP, and returns true.  Returns false otherwise.  */
+static bool
+parse_tzname (const char **tzp, int whichrule)
 {
-  unsigned short int hh, mm, ss;
-
-  /* Clear out old state and reset to unnamed UTC.  */
-  memset (tz_rules, '\0', sizeof tz_rules);
-  tz_rules[0].name = tz_rules[1].name = "";
-
-  /* Get the standard timezone name.  */
-  char *tzbuf = strdupa (tz);
-
-  int consumed;
-  if (sscanf (tz, "%[A-Za-z]%n", tzbuf, &consumed) != 1)
+  const char *start = *tzp;
+  const char *p = start;
+  while (('a' <= *p && *p <= 'z')
+	 || ('A' <= *p && *p <= 'Z'))
+      ++p;
+  size_t len = p - start;
+  if (len < 3)
     {
-      /* Check for the quoted version.  */
-      char *wp = tzbuf;
-      if (__glibc_unlikely (*tz++ != '<'))
-	goto out;
-
-      while (isalnum (*tz) || *tz == '+' || *tz == '-')
-	*wp++ = *tz++;
-      if (__glibc_unlikely (*tz++ != '>' || wp - tzbuf < 3))
-	goto out;
-      *wp = '\0';
+      p = *tzp;
+      if (__glibc_unlikely (*p++ != '<'))
+	return false;
+      start = p;
+      while (('a' <= *p && *p <= 'z')
+	     || ('A' <= *p && *p <= 'Z')
+	     || ('0' <= *p && *p <= '9')
+	     || *p == '+' || *p == '-')
+	++p;
+      len = p - start;
+      if (*p++ != '>' || len < 3)
+	return false;
     }
-  else if (__glibc_unlikely (consumed < 3))
-    goto out;
-  else
-    tz += consumed;
-
-  tz_rules[0].name = __tzstring (tzbuf);
+  tz_rules[whichrule].name = __tzstring_len (start, len);
+  *tzp = p;
+  return true;
+}
 
-  /* Figure out the standard offset from UTC.  */
-  if (*tz == '\0' || (*tz != '+' && *tz != '-' && !isdigit (*tz)))
-    goto out;
+/* Parses the time zone offset at *TZP, and writes it to
+   tz_rules[WHICHRULE].offset.  Returns true if the parse was
+   successful.  */
+static bool
+parse_offset (const char **tzp, int whichrule)
+{
+  const char *tz = *tzp;
+  if (whichrule == 0
+      && (*tz == '\0' || (*tz != '+' && *tz != '-' && !isdigit (*tz))))
+    return false;
 
+  long sign;
   if (*tz == '-' || *tz == '+')
-    tz_rules[0].offset = *tz++ == '-' ? 1L : -1L;
+    sign = *tz++ == '-' ? 1L : -1L;
   else
-    tz_rules[0].offset = -1L;
-  switch (sscanf (tz, "%hu%n:%hu%n:%hu%n",
-		  &hh, &consumed, &mm, &consumed, &ss, &consumed))
-    {
-    default:
-      tz_rules[0].offset = 0;
-      goto out;
-    case 1:
-      mm = 0;
-    case 2:
-      ss = 0;
-    case 3:
-      break;
-    }
-  tz_rules[0].offset *= compute_offset (ss, mm, hh);
-  tz += consumed;
-
-  /* Get the DST timezone name (if any).  */
-  if (*tz != '\0')
-    {
-      if (sscanf (tz, "%[A-Za-z]%n", tzbuf, &consumed) != 1)
-	{
-	  /* Check for the quoted version.  */
-	  char *wp = tzbuf;
-	  const char *rp = tz;
-	  if (__glibc_unlikely (*rp++ != '<'))
-	    /* Punt on name, set up the offsets.  */
-	    goto done_names;
-
-	  while (isalnum (*rp) || *rp == '+' || *rp == '-')
-	    *wp++ = *rp++;
-	  if (__glibc_unlikely (*rp++ != '>' || wp - tzbuf < 3))
-	    /* Punt on name, set up the offsets.  */
-	    goto done_names;
-	  *wp = '\0';
-	  tz = rp;
-	}
-      else if (__glibc_unlikely (consumed < 3))
-	/* Punt on name, set up the offsets.  */
-	goto done_names;
+    sign = -1L;
+  *tzp = tz;
+
+  unsigned short int hh;
+  unsigned short mm = 0;
+  unsigned short ss = 0;
+  int consumed = 0;
+  if (sscanf (tz, "%hu%n:%hu%n:%hu%n",
+	      &hh, &consumed, &mm, &consumed, &ss, &consumed) > 0)
+    tz_rules[whichrule].offset = sign * compute_offset (ss, mm, hh);
+  else
+    /* Nothing could be parsed. */
+    if (whichrule == 0)
+      {
+	/* Standard time defaults to offset zero.  */
+	tz_rules[0].offset = 0;
+	return false;
+      }
       else
-	tz += consumed;
+	/* DST defaults to one hour later than standard time.  */
+	tz_rules[1].offset = tz_rules[0].offset + (60 * 60);
+  *tzp = tz + consumed;
+  return true;
+}
 
-      tz_rules[1].name = __tzstring (tzbuf);
+/* Parses the standard <-> DST rules at *TZP.  Updates
+   tz_rule[WHICHRULE].  On success, advances *TZP and returns true.
+   Otherwise, returns false.  */
+static bool
+parse_rule (const char **tzp, int whichrule)
+{
+  const char *tz = *tzp;
+  tz_rule *tzr = &tz_rules[whichrule];
 
-      /* Figure out the DST offset from GMT.  */
-      if (*tz == '-' || *tz == '+')
-	tz_rules[1].offset = *tz++ == '-' ? 1L : -1L;
-      else
-	tz_rules[1].offset = -1L;
+  /* Ignore comma to support string following the incorrect
+     specification in early POSIX.1 printings.  */
+  tz += *tz == ',';
 
-      switch (sscanf (tz, "%hu%n:%hu%n:%hu%n",
-		      &hh, &consumed, &mm, &consumed, &ss, &consumed))
+  /* Get the date of the change.  */
+  if (*tz == 'J' || isdigit (*tz))
+    {
+      char *end;
+      tzr->type = *tz == 'J' ? J1 : J0;
+      if (tzr->type == J1 && !isdigit (*++tz))
+	return false;
+      unsigned long int d = strtoul (tz, &end, 10);
+      if (end == tz || d > 365)
+	return false;
+      if (tzr->type == J1 && d == 0)
+	return false;
+      tzr->d = d;
+      tz = end;
+    }
+  else if (*tz == 'M')
+    {
+      tzr->type = M;
+      int consumed;
+      if (sscanf (tz, "M%hu.%hu.%hu%n",
+		  &tzr->m, &tzr->n, &tzr->d, &consumed) != 3
+	  || tzr->m < 1 || tzr->m > 12
+	  || tzr->n < 1 || tzr->n > 5 || tzr->d > 6)
+	return false;
+      tz += consumed;
+    }
+  else if (*tz == '\0')
+    {
+      /* Daylight time rules in the U.S. are defined in the U.S. Code,
+	 Title 15, Chapter 6, Subchapter IX - Standard Time.  These
+	 dates were established by Congress in the Energy Policy Act
+	 of 2005 [Pub. L. no. 109-58, 119 Stat 594 (2005)].
+	 Below is the equivalent of "M3.2.0,M11.1.0" [/2 not needed
+	 since 2:00AM is the default].  */
+      tzr->type = M;
+      if (tzr == &tz_rules[0])
 	{
-	default:
-	  /* Default to one hour later than standard time.  */
-	  tz_rules[1].offset = tz_rules[0].offset + (60 * 60);
-	  break;
-
-	case 1:
-	  mm = 0;
-	case 2:
-	  ss = 0;
-	case 3:
-	  tz_rules[1].offset *= compute_offset (ss, mm, hh);
-	  tz += consumed;
-	  break;
+	  tzr->m = 3;
+	  tzr->n = 2;
+	  tzr->d = 0;
 	}
-      if (*tz == '\0' || (tz[0] == ',' && tz[1] == '\0'))
+      else
 	{
-	  /* There is no rule.  See if there is a default rule file.  */
-	  __tzfile_default (tz_rules[0].name, tz_rules[1].name,
-			    tz_rules[0].offset, tz_rules[1].offset);
-	  if (__use_tzfile)
-	    {
-	      free (old_tz);
-	      old_tz = NULL;
-	      return;
-	    }
+	  tzr->m = 11;
+	  tzr->n = 1;
+	  tzr->d = 0;
 	}
     }
   else
+    return false;
+
+  if (*tz != '\0' && *tz != '/' && *tz != ',')
+    return false;
+  else if (*tz == '/')
     {
-      /* There is no DST.  */
-      tz_rules[1].name = tz_rules[0].name;
-      tz_rules[1].offset = tz_rules[0].offset;
-      goto out;
+      /* Get the time of day of the change.  */
+      int negative;
+      ++tz;
+      if (*tz == '\0')
+	return false;
+      negative = *tz == '-';
+      tz += negative;
+      /* Default to 2:00 AM.  */
+      unsigned short hh = 2;
+      unsigned short mm = 0;
+      unsigned short ss = 0;
+      int consumed = 0;
+      sscanf (tz, "%hu%n:%hu%n:%hu%n",
+	      &hh, &consumed, &mm, &consumed, &ss, &consumed);;
+      tz += consumed;
+      tzr->secs = (negative ? -1 : 1) * ((hh * 60 * 60) + (mm * 60) + ss);
     }
+  else
+    /* Default to 2:00 AM.  */
+    tzr->secs = 2 * 60 * 60;
 
- done_names:
-  /* Figure out the standard <-> DST rules.  */
-  for (unsigned int whichrule = 0; whichrule < 2; ++whichrule)
-    {
-      tz_rule *tzr = &tz_rules[whichrule];
+  tzr->computed_for = -1;
+  *tzp = tz;
+  return true;
+}
 
-      /* Ignore comma to support string following the incorrect
-	 specification in early POSIX.1 printings.  */
-      tz += *tz == ',';
+/* Parse the POSIX TZ-style string.  */
+void
+__tzset_parse_tz (const char *tz)
+{
+  /* Clear out old state and reset to unnamed UTC.  */
+  memset (tz_rules, '\0', sizeof tz_rules);
+  tz_rules[0].name = tz_rules[1].name = "";
 
-      /* Get the date of the change.  */
-      if (*tz == 'J' || isdigit (*tz))
-	{
-	  char *end;
-	  tzr->type = *tz == 'J' ? J1 : J0;
-	  if (tzr->type == J1 && !isdigit (*++tz))
-	    goto out;
-	  unsigned long int d = strtoul (tz, &end, 10);
-	  if (end == tz || d > 365)
-	    goto out;
-	  if (tzr->type == J1 && d == 0)
-	    goto out;
-	  tzr->d = d;
-	  tz = end;
-	}
-      else if (*tz == 'M')
-	{
-	  tzr->type = M;
-	  if (sscanf (tz, "M%hu.%hu.%hu%n",
-		      &tzr->m, &tzr->n, &tzr->d, &consumed) != 3
-	      || tzr->m < 1 || tzr->m > 12
-	      || tzr->n < 1 || tzr->n > 5 || tzr->d > 6)
-	    goto out;
-	  tz += consumed;
-	}
-      else if (*tz == '\0')
+  /* Get the standard timezone name.  */
+  if (parse_tzname (&tz, 0) && parse_offset (&tz, 0))
+    {
+      /* Get the DST timezone name (if any).  */
+      if (*tz != '\0')
 	{
-         /* Daylight time rules in the U.S. are defined in the
-            U.S. Code, Title 15, Chapter 6, Subchapter IX - Standard
-            Time.  These dates were established by Congress in the
-            Energy Policy Act of 2005 [Pub. L. no. 109-58, 119 Stat 594
-            (2005)].
-	    Below is the equivalent of "M3.2.0,M11.1.0" [/2 not needed
-	    since 2:00AM is the default].  */
-	  tzr->type = M;
-	  if (tzr == &tz_rules[0])
+	  if (parse_tzname (&tz, 1))
 	    {
-	      tzr->m = 3;
-	      tzr->n = 2;
-	      tzr->d = 0;
-	    }
-	  else
-	    {
-	      tzr->m = 11;
-	      tzr->n = 1;
-	      tzr->d = 0;
+	      parse_offset (&tz, 1);
+	      if (*tz == '\0' || (tz[0] == ',' && tz[1] == '\0'))
+		{
+		  /* There is no rule.  See if there is a default rule
+		     file.  */
+		  __tzfile_default (tz_rules[0].name, tz_rules[1].name,
+				    tz_rules[0].offset, tz_rules[1].offset);
+		  if (__use_tzfile)
+		    {
+		      free (old_tz);
+		      old_tz = NULL;
+		      return;
+		    }
+		}
 	    }
+	  /* Figure out the standard <-> DST rules.  */
+	  if (parse_rule (&tz, 0))
+	    parse_rule (&tz, 1);
 	}
       else
-	goto out;
-
-      if (*tz != '\0' && *tz != '/' && *tz != ',')
-	goto out;
-      else if (*tz == '/')
 	{
-	  /* Get the time of day of the change.  */
-	  int negative;
-	  ++tz;
-	  if (*tz == '\0')
-	    goto out;
-	  negative = *tz == '-';
-	  tz += negative;
-	  consumed = 0;
-	  switch (sscanf (tz, "%hu%n:%hu%n:%hu%n",
-			  &hh, &consumed, &mm, &consumed, &ss, &consumed))
-	    {
-	    default:
-	      hh = 2;		/* Default to 2:00 AM.  */
-	    case 1:
-	      mm = 0;
-	    case 2:
-	      ss = 0;
-	    case 3:
-	      break;
-	    }
-	  tz += consumed;
-	  tzr->secs = (negative ? -1 : 1) * ((hh * 60 * 60) + (mm * 60) + ss);
+	  /* There is no DST.  */
+	  tz_rules[1].name = tz_rules[0].name;
+	  tz_rules[1].offset = tz_rules[0].offset;
 	}
-      else
-	/* Default to 2:00 AM.  */
-	tzr->secs = 2 * 60 * 60;
-
-      tzr->computed_for = -1;
     }
 
- out:
   update_vars ();
 }