Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Message-ID: <549191FE7B71D311BC5900104B292132167EF1@kirk.takefive.co.at>
From: Martin Oberhuber <martin DOT oberhuber AT windriver DOT com>
To: "'cygwin AT sourceware DOT cygnus DOT com'" <cygwin AT sourceware DOT cygnus DOT com>
Subject: 1.1.4: BUG in date.exe causes memory overflow if resulting datest
	ring is empty
Date: Thu, 21 Sep 2000 23:52:11 +0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: multipart/mixed;
	boundary="----_=_NextPart_000_01C02416.32481880"

------_=_NextPart_000_01C02416.32481880
Content-Type: text/plain;
	charset="iso-8859-1"

When you execute
   date +"%Z"
the date.exe program consumes all available memory until it 
terminates. The reason is that "%Z" results in an empty string
if the time zone is not set appropriately. 

Looking at the code in src/shellutils/src/date.c:341 , we see
the problem -- strftime(), which is used to format the date
string, returns 0 both when the date string is empty and when
it ran out of memory. In my opinion, this is quite sick behaviour
-- but well, we can't get around strftime() if we want to be
POSIXly correct.

So I think the only bulletproof solution is to make sure that
the date string CANNOT be empty after calling strftime().
The patch attached does just that:

  int in_length = strlen(formatstr);
  char *safe_format = (char *)malloc(in_length+2);
  *safe_format = 'X';   /* force non-empty result ! */
  strcpy(safe_format+1, formatstr);
  out_length = in_length;
  do {
    out_length += 200;
    out = (char *) xrealloc (out, out_length);
  }
  while (strftime (out, out_length, safe_format, tm) == 0);
  printf ("%s\n", out+1);
  free(out);
  free(safe_format);

I compiled and tested with gcc 2.95.2 -- date.exe becomes 1536 bytes
larger (most probably due to using strcpy() and strlen() ) but it's
safe now...

[/] diff -c src/shellutils/src/date.c.orig src/shellutils/src/date.c > date_patch.txt

Cheers,
Martin

--
---------------------------------/()\-----------------------------------
DI Martin Oberhuber                mailto:martin DOT oberhuber AT windriver DOT com
Field Support Engineer             Phone  (UTC +1h): +43 (662) 457915-85
TakeFive Software GmbH, a Wind River Company    Fax: +43 (662) 457915-6
Jakob-Haringer-Str.8, A-5020 Salzburg, Austria  http://www.windriver.com
---------------- The Leader in Source Code Engineering -----------------


------_=_NextPart_000_01C02416.32481880
Content-Type: text/plain;
	name="date_patch.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="date_patch.txt"

*** src/shellutils/src/date.c.orig	Tue Sep 19 11:49:45 2000=0A=
--- src/shellutils/src/date.c	Thu Sep 21 23:37:29 2000=0A=
***************=0A=
*** 310,317 ****=0A=
  show_date (const char *format, time_t when)=0A=
  {=0A=
    struct tm *tm;=0A=
    char *out =3D NULL;=0A=
!   size_t out_length =3D 0;=0A=
  =0A=
    tm =3D localtime (&when);=0A=
  =0A=
--- 310,319 ----=0A=
  show_date (const char *format, time_t when)=0A=
  {=0A=
    struct tm *tm;=0A=
+   char *safe_format;=0A=
+   size_t in_length;=0A=
    char *out =3D NULL;=0A=
!   size_t out_length;=0A=
  =0A=
    tm =3D localtime (&when);=0A=
  =0A=
***************=0A=
*** 336,350 ****=0A=
        return;=0A=
      }=0A=
  =0A=
    do=0A=
      {=0A=
        out_length +=3D 200;=0A=
        out =3D (char *) xrealloc (out, out_length);=0A=
      }=0A=
!   while (strftime (out, out_length, format, tm) =3D=3D 0);=0A=
  =0A=
!   printf ("%s\n", out);=0A=
    free (out);=0A=
  }=0A=
  =0A=
  static void=0A=
--- 338,357 ----=0A=
        return;=0A=
      }=0A=
  =0A=
+   out_length =3D in_length =3D strlen(format);=0A=
+   safe_format =3D (char *)malloc(in_length+2);=0A=
+   *safe_format =3D 'X';=0A=
+   strcpy(safe_format+1, format);=0A=
    do=0A=
      {=0A=
        out_length +=3D 200;=0A=
        out =3D (char *) xrealloc (out, out_length);=0A=
      }=0A=
!   while (strftime (out, out_length, safe_format, tm) =3D=3D 0);=0A=
  =0A=
!   printf ("%s\n", out+1);=0A=
    free (out);=0A=
+   free (safe_format);=0A=
  }=0A=
  =0A=
  static void=0A=


------_=_NextPart_000_01C02416.32481880
Content-Type: text/plain; charset=us-ascii

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com
------_=_NextPart_000_01C02416.32481880--