shared: fix integer overflow in calendarspec

Fixes: oss-fuzz#22208
```
test/fuzz/fuzz-calendarspec/oss-fuzz-22208... ../src/shared/calendarspec.c:666:48: runtime error: signed integer overflow: 2147000000 + 1000000 cannot be represented in type 'int'
    #0 0x7f0b9f6cc56a in prepend_component ../src/shared/calendarspec.c:666
    #1 0x7f0b9f6cd03a in parse_chain ../src/shared/calendarspec.c:718
    #2 0x7f0b9f6cea1c in parse_calendar_time ../src/shared/calendarspec.c:845
    #3 0x7f0b9f6d1397 in calendar_spec_from_string ../src/shared/calendarspec.c:1084
    #4 0x401570 in LLVMFuzzerTestOneInput ../src/fuzz/fuzz-calendarspec.c:17
    #5 0x401ae0 in main ../src/fuzz/fuzz-main.c:39
    #6 0x7f0b9e31b1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
    #7 0x40122d in _start (/home/fsumsal/repos/systemd/build/fuzz-calendarspec+0x40122d)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/shared/calendarspec.c:666:48 in
```

diff --git a/src/shared/calendarspec.c b/src/shared/calendarspec.c
index b162224d9db8c5872defa024c2a3d4ff7d33102a..db6a103c42a74ed382359a1e32fba5795efcb63c 100644 (file)
--- a/src/shared/calendarspec.c
+++ b/src/shared/calendarspec.c
@@ -659,6 +659,10 @@ static int prepend_component(const char **p, bool usec, unsigned nesting, Calend
                 /* If no repeat value is specified for the µs component, then let's explicitly refuse ranges
                  * below 1s because our default repeat granularity is beyond that. */
 
+                /* Overflow check */
+                if (start > INT_MAX - repeat)
+                        return -ERANGE;
+
                 if (usec && stop >= 0 && start + repeat > stop)
                         return -EINVAL;
         }

diff --git a/test/fuzz/fuzz-calendarspec/oss-fuzz-22208 b/test/fuzz/fuzz-calendarspec/oss-fuzz-22208
new file mode 100644 (file)
index 0000000..2bbe762
--- /dev/null
+++ b/test/fuzz/fuzz-calendarspec/oss-fuzz-22208
@@ -0,0 +1 @@
+4:3:2147..2
\ No newline at end of file