[ros-dev] [ros-diffs] [gschneider] 42402: asctime/ctime: Check for too low input time, fixes one msvcrt time winetest

[Alexander Potashev]

I didn't really want to send this e-mail right now, but my eeepc has
strong opinions. ;)


2009/8/4 Alexander Potashev <aspotashev at gmail.com>:
> Hi,
> First of all, are you sure that this code is mature enough to care
> about minor details? I would say, "@implemented" has been added by
> mistake.
>
> About this commit: I tried to call asctime from glibc-2.8 on Linux,
> but tm_year=9 works fine (resulting in 1909). I know, it is not
> msvcrt. But I don't see any good reason to not allow years before
> 1970. Furthermore, I'm sure, this function was once introduced to just
> transform a date to human-readable format, and it shouldn't care about
> the date. Btw, MSDN says nothing
>
> Another tricky question is: How is the UNIX epoch connected with
> Reactos (or Windows)?
>
> About 'asctime': it might be holy, but it's "holey". It doesn't even
> check the month and the day of week to fit the ranges 0..11 and 0..6
> correspondingly.
>
>
> So, please, fix the security problems first, and then revert this commit ;)
>
>
> 2009/8/4  <gschneider at svn.reactos.org>:
>> Author: gschneider
>> Date: Wed Aug  5 04:06:25 2009
>> New Revision: 42402
>>
>> URL: http://svn.reactos.org/svn/reactos?rev=42402&view=rev
>> Log:
>> asctime/ctime: Check for too low input time, fixes one msvcrt time winetest
>>
>> Modified:
>>    trunk/reactos/lib/sdk/crt/time/ctime.c
>>
>> Modified: trunk/reactos/lib/sdk/crt/time/ctime.c
>> URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/sdk/crt/time/ctime.c?rev=42402&r1=42401&r2=42402&view=diff
>> ==============================================================================
>> --- trunk/reactos/lib/sdk/crt/time/ctime.c [iso-8859-1] (original)
>> +++ trunk/reactos/lib/sdk/crt/time/ctime.c [iso-8859-1] Wed Aug  5 04:06:25 2009
>> @@ -1200,14 +1200,23 @@
>>     "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
>>   };
>>   static char result[26];
>> -
>> -  (void) sprintf(result, "%.3s %.3s%3d %02d:%02d:%02d %d\n",
>> -         wday_name[timeptr->tm_wday],
>> -         mon_name[timeptr->tm_mon],
>> -         timeptr->tm_mday, timeptr->tm_hour,
>> -         timeptr->tm_min, timeptr->tm_sec,
>> -         TM_YEAR_BASE + timeptr->tm_year);
>> -  return result;
>> +  char* res = result;
>> +
>> +  /* Check for invalid input time */
>> +  if (timeptr->tm_year <= 69)
>> +  {
>> +    res = NULL;
>> +  }
>> +  else
>> +  {
>> +    sprintf(res, "%.3s %.3s%3d %02d:%02d:%02d %d\n",
>> +            wday_name[timeptr->tm_wday],
>> +            mon_name[timeptr->tm_mon],
>> +            timeptr->tm_mday, timeptr->tm_hour,
>> +            timeptr->tm_min, timeptr->tm_sec,
>> +            TM_YEAR_BASE + timeptr->tm_year);
>> +  }
>> +  return res;
>>  }
>>
>>  /*
>>
>>
>>
>