From 515a6f53cd984d5e6e374fbee52772f967fc3c73 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Mon, 13 Sep 2021 22:49:45 -0700 Subject: [PATCH] Fix subscript error with odd TZif file [BZ #28338] * time/tzfile.c (__tzfile_compute): Fix unlikely off-by-one bug that accessed before start of an array when an oddball-but-valid TZif file was queried with an unusual time_t value. Reviewed-by: Adhemerval Zanella (cherry picked from commit 645277434a42efc547d2cac8bfede4da10b4049f) --- NEWS | 3 ++- time/tzfile.c | 3 +-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index 2758ba644ae..22154086774 100644 --- a/NEWS +++ b/NEWS @@ -15,13 +15,14 @@ The following bugs are resolved with this release: [28182] _TIME_BITS=64 in C++ has issues with fcntl, ioctl, prctl [28223] mips: clone does not align stack [28310] Do not use affinity mask for sysconf (_SC_NPROCESSORS_CONF) + [28338] undefined behavior in __tzfile_compute with oddball TZif file [28340] ld.so crashes while loading a DSO with a read-only dynamic section [28357] deadlock between pthread_create and ELF constructors [28361] nptl: Avoid setxid deadlock with blocked signals in thread exit [28407] pthread_kill assumes that kill and tgkill are equivalent [28524] Conversion from ISO-2022-JP-3 with iconv may emit spurious NULs - [28607] Masked signals are delivered on thread exit [28532] powerpc64[le]: CFI for assembly templated syscalls is incorrect + [28607] Masked signals are delivered on thread exit [28678] nptl/tst-create1 hangs sporadically [28700] "dns [!UNAVAIL=return] files" NSS default for hosts is not useful [28702] RISC-V: clone does not align stack diff --git a/time/tzfile.c b/time/tzfile.c index 4377018a559..190a777152b 100644 --- a/time/tzfile.c +++ b/time/tzfile.c @@ -765,8 +765,7 @@ __tzfile_compute (__time64_t timer, int use_localtime, *leap_correct = leaps[i].change; if (timer == leaps[i].transition /* Exactly at the transition time. */ - && ((i == 0 && leaps[i].change > 0) - || leaps[i].change > leaps[i - 1].change)) + && (leaps[i].change > (i == 0 ? 0 : leaps[i - 1].change))) { *leap_hit = 1; while (i > 0 -- 2.47.2