From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun, 2 Nov 2025 00:45:12 +0000 (-0600)
Subject: nstrftime: do not return PTRDIFF_MAX
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f9b83b5c7ab7fa9f73ef74aa4c0b0f92c5f385c8;p=thirdparty%2Fgnulib.git

nstrftime: do not return PTRDIFF_MAX

Previously, nstrftime (NULL, SIZE_MAX, ...) could return
PTRDIFF_MAX, which would cause problems in the common case
where the caller adds 1 to the result in order to allocate.
To avoid this, arrange for nstrftime to return at most PTRDIFF_MAX - 1.
* lib/strftime.c (__strftime_internal) [FAILURE && !FPRINTFTIME]:
Silently ceiling MAXSIZE to PTRDIFF_MAX.
---

diff --git a/ChangeLog b/ChangeLog
index b2f223fc6a..1d2195ca0f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 2025-11-01  Paul Eggert  <eggert@cs.ucla.edu>
 
+	nstrftime: do not return PTRDIFF_MAX
+	Previously, nstrftime (NULL, SIZE_MAX, ...) could return
+	PTRDIFF_MAX, which would cause problems in the common case
+	where the caller adds 1 to the result in order to allocate.
+	To avoid this, arrange for nstrftime to return at most PTRDIFF_MAX - 1.
+	* lib/strftime.c (__strftime_internal) [FAILURE && !FPRINTFTIME]:
+	Silently ceiling MAXSIZE to PTRDIFF_MAX.
+
 	nstrftime: fix very-unlikely integer overflow issues
 	* lib/strftime.c (SBYTE_COUNT_MAX): Remove.
 	(incr_overflow): New macro.
diff --git a/lib/strftime.c b/lib/strftime.c
index 5ed3cf5900..6445d6e3d2 100644
--- a/lib/strftime.c
+++ b/lib/strftime.c
@@ -1189,6 +1189,9 @@ __strftime_internal (STREAM_OR_CHAR_T *s, STRFTIME_ARG (size_t maxsize)
 #endif
 #if FAILURE == 0
   int saved_errno = errno;
+#elif !FPRINTFTIME
+  if (PTRDIFF_MAX < maxsize)
+    maxsize = PTRDIFF_MAX;
 #endif
 
 #ifdef _NL_CURRENT
diff --git a/lib/strftime.h b/lib/strftime.h
index 52385dce0a..bb2b63b075 100644
--- a/lib/strftime.h
+++ b/lib/strftime.h
@@ -76,6 +76,13 @@ extern "C" {
    If unsuccessful, possibly change the array __S, set errno, and return -1;
    errno == ERANGE means the string didn't fit.
 
+   As a glibc extension if __S is null, do not store anything, and
+   return the value that would have been returned had __S been non-null.
+
+   A __MAXSIZE greater than PTRDIFF_MAX is silently treated as if
+   it were PTRDIFF_MAX, so that the caller can safely add 1 to
+   any return value without overflow.
+
    This function is like strftime, but with two more arguments:
      * __TZ instead of the local timezone information,
      * __NS as the number of nanoseconds in the %N directive,