basic/calendarspec: fix assert crash when year is too large in calendarspec_from_time_t()

gmtime_r() will return NULL in that case, and we would crash.

I committed the reproducer case in fuzz-regressions/, even though we don't have
ubsan hooked up yet. Let's add it anyway in case it is useful in the future. We
actually crash anyway when compiled with asserts, so this can be easily
reproduced without ubsan.

oss-fuzz #6886.

diff --git a/src/basic/calendarspec.c b/src/basic/calendarspec.c
index fd7802277321d05a13e5052551a7d040d07fc14d..3918428a576c296c4dea640be1c72d4d0f2fd5e6 100644 (file)
--- a/src/basic/calendarspec.c
+++ b/src/basic/calendarspec.c
@@ -581,7 +581,8 @@ static int calendarspec_from_time_t(CalendarSpec *c, time_t time) {
         CalendarComponent *year = NULL, *month = NULL, *day = NULL, *hour = NULL, *minute = NULL, *us = NULL;
         int r;
 
-        assert_se(gmtime_r(&time, &tm));
+        if (!gmtime_r(&time, &tm))
+                return -ERANGE;
 
         r = const_chain(tm.tm_year + 1900, &year);
         if (r < 0)

diff --git a/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6886 b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6886
new file mode 100644 (file)
index 0000000..1fbe5ff
--- /dev/null
+++ b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6886
@@ -0,0 +1,3 @@
+timer
+[Timer]
+OnCalendar=@88588582097858858
\ No newline at end of file

diff --git a/test/fuzz-regressions/meson.build b/test/fuzz-regressions/meson.build
index 9753c61882f95646e5a32b451c83e836ae4e6354..ee00bcd046930bebec12dcb49909f55bcbef3623 100644 (file)
--- a/test/fuzz-regressions/meson.build
+++ b/test/fuzz-regressions/meson.build
@@ -31,4 +31,5 @@ fuzz_regression_tests = '''
         fuzz-dns-packet/issue-7888
         fuzz-unit-file/oss-fuzz-6884
         fuzz-unit-file/oss-fuzz-6885
+        fuzz-unit-file/oss-fuzz-6886
 '''.split()