nstrftime: do not return PTRDIFF_MAX

Previously, nstrftime (NULL, SIZE_MAX, ...) could return
PTRDIFF_MAX, which would cause problems in the common case
where the caller adds 1 to the result in order to allocate.
To avoid this, arrange for nstrftime to return at most PTRDIFF_MAX - 1.
* lib/strftime.c (__strftime_internal) [FAILURE && !FPRINTFTIME]:
Silently ceiling MAXSIZE to PTRDIFF_MAX.

diff --git a/ChangeLog b/ChangeLog
index b2f223fc6aab16c5ac4f8fb94884bf3d64b66962..1d2195ca0fa6bec45e8a6254b27fb5bf5a7d021e 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 2025-11-01  Paul Eggert  <eggert@cs.ucla.edu>
 
+       nstrftime: do not return PTRDIFF_MAX
+       Previously, nstrftime (NULL, SIZE_MAX, ...) could return
+       PTRDIFF_MAX, which would cause problems in the common case
+       where the caller adds 1 to the result in order to allocate.
+       To avoid this, arrange for nstrftime to return at most PTRDIFF_MAX - 1.
+       * lib/strftime.c (__strftime_internal) [FAILURE && !FPRINTFTIME]:
+       Silently ceiling MAXSIZE to PTRDIFF_MAX.
+
        nstrftime: fix very-unlikely integer overflow issues
        * lib/strftime.c (SBYTE_COUNT_MAX): Remove.
        (incr_overflow): New macro.

diff --git a/lib/strftime.c b/lib/strftime.c
index 5ed3cf5900ae1ab47d1421b146d23a5775e8f1a4..6445d6e3d288d180204d86b0010e9517679d3ee3 100644 (file)
--- a/lib/strftime.c
+++ b/lib/strftime.c
@@ -1189,6 +1189,9 @@ __strftime_internal (STREAM_OR_CHAR_T *s, STRFTIME_ARG (size_t maxsize)
 #endif
 #if FAILURE == 0
   int saved_errno = errno;
+#elif !FPRINTFTIME
+  if (PTRDIFF_MAX < maxsize)
+    maxsize = PTRDIFF_MAX;
 #endif
 
 #ifdef _NL_CURRENT

diff --git a/lib/strftime.h b/lib/strftime.h
index 52385dce0ab9957fbe076d0aafde2259dcecd5ee..bb2b63b075f8d77c2a61d7fcf80fb49d38218108 100644 (file)
--- a/lib/strftime.h
+++ b/lib/strftime.h
@@ -76,6 +76,13 @@ extern "C" {
    If unsuccessful, possibly change the array __S, set errno, and return -1;
    errno == ERANGE means the string didn't fit.
 
+   As a glibc extension if __S is null, do not store anything, and
+   return the value that would have been returned had __S been non-null.
+
+   A __MAXSIZE greater than PTRDIFF_MAX is silently treated as if
+   it were PTRDIFF_MAX, so that the caller can safely add 1 to
+   any return value without overflow.
+
    This function is like strftime, but with two more arguments:
      * __TZ instead of the local timezone information,
      * __NS as the number of nanoseconds in the %N directive,