From 55a30fd4e832891604b1775cbfb06a85d52d9424 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 13 Mar 2018 12:51:08 +0100 Subject: [PATCH] basic/calendarspec: fix assert crash when year is too large in calendarspec_from_time_t() gmtime_r() will return NULL in that case, and we would crash. I committed the reproducer case in fuzz-regressions/, even though we don't have ubsan hooked up yet. Let's add it anyway in case it is useful in the future. We actually crash anyway when compiled with asserts, so this can be easily reproduced without ubsan. oss-fuzz #6886. --- src/basic/calendarspec.c | 3 ++- test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6886 | 3 +++ test/fuzz-regressions/meson.build | 1 + 3 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6886 diff --git a/src/basic/calendarspec.c b/src/basic/calendarspec.c index fd78022773..3918428a57 100644 --- a/src/basic/calendarspec.c +++ b/src/basic/calendarspec.c @@ -581,7 +581,8 @@ static int calendarspec_from_time_t(CalendarSpec *c, time_t time) { CalendarComponent *year = NULL, *month = NULL, *day = NULL, *hour = NULL, *minute = NULL, *us = NULL; int r; - assert_se(gmtime_r(&time, &tm)); + if (!gmtime_r(&time, &tm)) + return -ERANGE; r = const_chain(tm.tm_year + 1900, &year); if (r < 0) diff --git a/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6886 b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6886 new file mode 100644 index 0000000000..1fbe5ffd99 --- /dev/null +++ b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6886 @@ -0,0 +1,3 @@ +timer +[Timer] +OnCalendar=@88588582097858858 \ No newline at end of file diff --git a/test/fuzz-regressions/meson.build b/test/fuzz-regressions/meson.build index 9753c61882..ee00bcd046 100644 --- a/test/fuzz-regressions/meson.build +++ b/test/fuzz-regressions/meson.build @@ -31,4 +31,5 @@ fuzz_regression_tests = ''' fuzz-dns-packet/issue-7888 fuzz-unit-file/oss-fuzz-6884 fuzz-unit-file/oss-fuzz-6885 + fuzz-unit-file/oss-fuzz-6886 '''.split()