From c07f18ffd458a224e1784f128df26b340c1c39c8 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Fri, 15 May 2020 12:02:43 +0200 Subject: [PATCH] shared: fix integer overflow in calendarspec Fixes: oss-fuzz#22208 ``` test/fuzz/fuzz-calendarspec/oss-fuzz-22208... ../src/shared/calendarspec.c:666:48: runtime error: signed integer overflow: 2147000000 + 1000000 cannot be represented in type 'int' #0 0x7f0b9f6cc56a in prepend_component ../src/shared/calendarspec.c:666 #1 0x7f0b9f6cd03a in parse_chain ../src/shared/calendarspec.c:718 #2 0x7f0b9f6cea1c in parse_calendar_time ../src/shared/calendarspec.c:845 #3 0x7f0b9f6d1397 in calendar_spec_from_string ../src/shared/calendarspec.c:1084 #4 0x401570 in LLVMFuzzerTestOneInput ../src/fuzz/fuzz-calendarspec.c:17 #5 0x401ae0 in main ../src/fuzz/fuzz-main.c:39 #6 0x7f0b9e31b1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2) #7 0x40122d in _start (/home/fsumsal/repos/systemd/build/fuzz-calendarspec+0x40122d) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/shared/calendarspec.c:666:48 in ``` --- src/shared/calendarspec.c | 4 ++++ test/fuzz/fuzz-calendarspec/oss-fuzz-22208 | 1 + 2 files changed, 5 insertions(+) create mode 100644 test/fuzz/fuzz-calendarspec/oss-fuzz-22208 diff --git a/src/shared/calendarspec.c b/src/shared/calendarspec.c index b162224d9d..db6a103c42 100644 --- a/src/shared/calendarspec.c +++ b/src/shared/calendarspec.c @@ -659,6 +659,10 @@ static int prepend_component(const char **p, bool usec, unsigned nesting, Calend /* If no repeat value is specified for the µs component, then let's explicitly refuse ranges * below 1s because our default repeat granularity is beyond that. */ + /* Overflow check */ + if (start > INT_MAX - repeat) + return -ERANGE; + if (usec && stop >= 0 && start + repeat > stop) return -EINVAL; } diff --git a/test/fuzz/fuzz-calendarspec/oss-fuzz-22208 b/test/fuzz/fuzz-calendarspec/oss-fuzz-22208 new file mode 100644 index 0000000000..2bbe7628d6 --- /dev/null +++ b/test/fuzz/fuzz-calendarspec/oss-fuzz-22208 @@ -0,0 +1 @@ +4:3:2147..2 \ No newline at end of file