From: Arjun Shankar <arjun@redhat.com>
Date: Tue, 6 Jun 2023 17:20:31 +0000 (+0200)
Subject: time: Fix use-after-free in getdate
X-Git-Tag: glibc-2.38~147
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=85e6d8b4175fcb195011a0a1bad37d6f3b2355db;p=thirdparty%2Fglibc.git

time: Fix use-after-free in getdate

getdate would free the buffer pointed to by the result of its call to
strptime, then reference the same buffer later on -- leading to a
use-after-free.  This commit fixes that.

Reported-by: Martin Coufal <mcoufal@redhat.com>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
---

diff --git a/time/getdate.c b/time/getdate.c
index 1dcbd77188a..ca058394a3f 100644
--- a/time/getdate.c
+++ b/time/getdate.c
@@ -114,6 +114,7 @@ __getdate_r (const char *string, struct tm *tp)
   struct tm tm;
   struct __stat64_t64 st;
   bool mday_ok = false;
+  bool found = false;
 
   datemsk = getenv ("DATEMSK");
   if (datemsk == NULL || *datemsk == '\0')
@@ -181,7 +182,7 @@ __getdate_r (const char *string, struct tm *tp)
       tp->tm_gmtoff = 0;
       tp->tm_zone = NULL;
       result = strptime (string, line, tp);
-      if (result && *result == '\0')
+      if ((found = (result && *result == '\0')))
 	break;
     }
   while (!__feof_unlocked (fp));
@@ -201,7 +202,7 @@ __getdate_r (const char *string, struct tm *tp)
   /* Close template file.  */
   fclose (fp);
 
-  if (result == NULL || *result != '\0')
+  if (!found)
     return 7;
 
   /* Get current time.  */