basic/calendarspec: fix assert crash when year is too large in calendarspec_from_time_t()

gmtime_r() will return NULL in that case, and we would crash. I committed the reproducer case in fuzz-regressions/, even though we don't have ubsan hooked up yet. Let's add it anyway in case it is useful in the future. We actually crash anyway when compiled with asserts, so this can be easily reproduced without ubsan. oss-fuzz #6886.
2018-03-13 12:51:08 +01:00 · 2018-03-13 12:51:08 +01:00 · 55a30fd4e8
parent 20d52ab60e
commit 55a30fd4e8
3 changed files with 6 additions and 1 deletions
--- a/src/basic/calendarspec.c
+++ b/src/basic/calendarspec.c
@ -581,7 +581,8 @@ static int calendarspec_from_time_t(CalendarSpec *c, time_t time) {
        CalendarComponent *year = NULL, *month = NULL, *day = NULL, *hour = NULL, *minute = NULL, *us = NULL;
        int r;

-        assert_se(gmtime_r(&time, &tm));
+        if (!gmtime_r(&time, &tm))
+                return -ERANGE;

        r = const_chain(tm.tm_year + 1900, &year);
        if (r < 0)
--- a/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6886
+++ b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6886
@ -0,0 +1,3 @@
+timer
+[Timer]
+OnCalendar=@88588582097858858
--- a/test/fuzz-regressions/meson.build
+++ b/test/fuzz-regressions/meson.build
@ -31,4 +31,5 @@ fuzz_regression_tests = '''
        fuzz-dns-packet/issue-7888
        fuzz-unit-file/oss-fuzz-6884
        fuzz-unit-file/oss-fuzz-6885
+        fuzz-unit-file/oss-fuzz-6886
 '''.split()