summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPádraig Brady <P@draigBrady.com>2015-02-09 15:48:40 +0000
committerPádraig Brady <P@draigBrady.com>2015-02-11 00:35:08 +0000
commit50820f8470a0f3d5c5359df1387b30eddd839ba4 (patch)
tree71e60eb428ea609cabbc67d4c681a4c1e71ce518
parent430bda373361addf16962301b3afaf1b19ee9fc8 (diff)
downloadcoreutils-50820f8470a0f3d5c5359df1387b30eddd839ba4.tar.xz
maint: avoid arbitrary memory access with buggy localtime()
* src/ls.c (align_nstrftime): Be defensive and validate the tm_mon index before using to access the abmon array. This was _not_ seen to be an issue any system. See https://bugzilla.redhat.com/1190454
-rw-r--r--src/ls.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/ls.c b/src/ls.c
index cb9d3d6a2..469852074 100644
--- a/src/ls.c
+++ b/src/ls.c
@@ -3665,7 +3665,8 @@ align_nstrftime (char *buf, size_t size, char const *fmt, struct tm const *tm,
the replacement is not done. A malloc here slows ls down by 2% */
char rpl_fmt[sizeof (abmon[0]) + 100];
const char *pb;
- if (required_mon_width && (pb = strstr (fmt, "%b")))
+ if (required_mon_width && (pb = strstr (fmt, "%b"))
+ && 0 <= tm->tm_mon && tm->tm_mon <= 11)
{
if (strlen (fmt) < (sizeof (rpl_fmt) - sizeof (abmon[0]) + 2))
{