From 85e6d8b4175fcb195011a0a1bad37d6f3b2355db Mon Sep 17 00:00:00 2001
From: Arjun Shankar <arjun@redhat.com>
Date: Tue, 6 Jun 2023 19:20:31 +0200
Subject: time: Fix use-after-free in getdate

getdate would free the buffer pointed to by the result of its call to
strptime, then reference the same buffer later on -- leading to a
use-after-free.  This commit fixes that.

Reported-by: Martin Coufal <mcoufal@redhat.com>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
---
 time/getdate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'time')

diff --git a/time/getdate.c b/time/getdate.c
index 1dcbd77188..ca058394a3 100644
--- a/time/getdate.c
+++ b/time/getdate.c
@@ -114,6 +114,7 @@ __getdate_r (const char *string, struct tm *tp)
   struct tm tm;
   struct __stat64_t64 st;
   bool mday_ok = false;
+  bool found = false;
 
   datemsk = getenv ("DATEMSK");
   if (datemsk == NULL || *datemsk == '\0')
@@ -181,7 +182,7 @@ __getdate_r (const char *string, struct tm *tp)
       tp->tm_gmtoff = 0;
       tp->tm_zone = NULL;
       result = strptime (string, line, tp);
-      if (result && *result == '\0')
+      if ((found = (result && *result == '\0')))
 	break;
     }
   while (!__feof_unlocked (fp));
@@ -201,7 +202,7 @@ __getdate_r (const char *string, struct tm *tp)
   /* Close template file.  */
   fclose (fp);
 
-  if (result == NULL || *result != '\0')
+  if (!found)
     return 7;
 
   /* Get current time.  */
-- 
cgit 1.4.1