apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Philip Martin <phi...@codematters.co.uk>
Subject Re: Date limit in apr_time_exp_get
Date Tue, 23 Mar 2004 01:36:51 GMT
"Roy T. Fielding" <fielding@gbiv.com> writes:

> On Monday, March 22, 2004, at 04:00  PM, Philip Martin wrote:
>> This code in apr_time_exp_get:
>>
>>     year = xt->tm_year;
>>     if (year < 70 || ((sizeof(time_t) <= 4) && (year >= 138))) {
>>         return APR_EBADDATE;
>>     }
>>
>> rejects all 2038 dates even though all the 2038 dates up to
>> 2038-01-19T03:14:07.000000Z will fit into a 32-bit time_t.
>> apr_time_exp_gmt  doesn't reject these dates.
>
> Another bug due to a sloppy change from time_t to apr_time_t.
> Change days to apr_time_t and remove the above conditional
> (the case of year < 70 is already handled a few lines below).

Is the function supposed to validate it's input?  If the user supplies
a large, positive or negative, value for xt->tm_year then the
calculation may overflow.  If the user supplies an xt->tm_mon outside
the range 0-11 the function will read arbitrary memory.

-- 
Philip Martin

Mime
View raw message