From: Zbigniew Jędrzejewski-Szmek Date: Tue, 13 Mar 2018 11:51:08 +0000 (+0100) Subject: basic/calendarspec: fix assert crash when year is too large in calendarspec_from_time_t() X-Git-Tag: v239~548^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=55a30fd4e8;p=thirdparty%2Fsystemd.git basic/calendarspec: fix assert crash when year is too large in calendarspec_from_time_t() gmtime_r() will return NULL in that case, and we would crash. I committed the reproducer case in fuzz-regressions/, even though we don't have ubsan hooked up yet. Let's add it anyway in case it is useful in the future. We actually crash anyway when compiled with asserts, so this can be easily reproduced without ubsan. oss-fuzz #6886. --- diff --git a/src/basic/calendarspec.c b/src/basic/calendarspec.c index fd780227732..3918428a576 100644 --- a/src/basic/calendarspec.c +++ b/src/basic/calendarspec.c @@ -581,7 +581,8 @@ static int calendarspec_from_time_t(CalendarSpec *c, time_t time) { CalendarComponent *year = NULL, *month = NULL, *day = NULL, *hour = NULL, *minute = NULL, *us = NULL; int r; - assert_se(gmtime_r(&time, &tm)); + if (!gmtime_r(&time, &tm)) + return -ERANGE; r = const_chain(tm.tm_year + 1900, &year); if (r < 0) diff --git a/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6886 b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6886 new file mode 100644 index 00000000000..1fbe5ffd99e --- /dev/null +++ b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6886 @@ -0,0 +1,3 @@ +timer +[Timer] +OnCalendar=@88588582097858858 \ No newline at end of file diff --git a/test/fuzz-regressions/meson.build b/test/fuzz-regressions/meson.build index 9753c61882f..ee00bcd0469 100644 --- a/test/fuzz-regressions/meson.build +++ b/test/fuzz-regressions/meson.build @@ -31,4 +31,5 @@ fuzz_regression_tests = ''' fuzz-dns-packet/issue-7888 fuzz-unit-file/oss-fuzz-6884 fuzz-unit-file/oss-fuzz-6885 + fuzz-unit-file/oss-fuzz-6886 '''.split()