Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <bd33e92c-e57f-40b3-a069-560526996036@iki.fi>
Date: Mon, 30 Mar 2026 22:34:07 +0300
From: Hannu Nyman <hannu.nyman@....fi>
To: Rich Felker <dalias@...c.org>, musl@...ts.openwall.com
Cc: Shiji Yang <yangshiji66@...look.com>
Subject: Re: strptime in 1.2.6 - is tzname[0/1] guaranteed to be set?

Rich Felker kirjoitti 30.3.2026 klo 22.27:
> On Mon, Mar 30, 2026 at 10:05:33PM +0300, Hannu Nyman wrote:
>> Rich Felker kirjoitti 23.3.2026 klo 19.38:
>>> On Mon, Mar 23, 2026 at 06:38:07PM +0200, Hannu Nyman wrote:
>>>> Is a new patch version still coming, or was the last one ("the attached is
>>>> good") already fine?
>>> Here's a fixed one,
>>>
>> Hello Rich,
>>
>> the current patch version seems to be still somewhat problematic regarding
>> the fallback 'else' part.
>>
>> +    } else {
>> +        /* FIXME: is this supposed to be an error? */
>> +        while ((**s|32)-'a' <= 'z'-'a') ++*s;
>> +    }
>>
>> To my understanding the part is supposed to consume the alpha chars of the
>> passed timezone name string and then enable further parsing of the total
>> date stamp with other possible %-modifiers. Apparently the current check
>> fails to stop at null \0 and may continue further, causing segmentation
>> error at some point.
> Oh, it's a signedness error. Changing it to
>
> 	while ((**s|32)-'a' < 26U) ++*s;
>
> would fix it. But isalpha might be a nicer approach, yes, especially
> since we have the macro that does exactly that anyway.
>
> Rich


After further thought, "isalpha" might actually be wrong,  as the quoted 
POSIX timezone format like <-02>2  are also valid.

(Reference to our discussion in 2016 ;-) 
https://www.openwall.com/lists/musl/2016/03/31/9

http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_03

In the quoted form, the first character shall be the <less-than-sign> ( '<' ) 
character and the last character shall be the <greater-than-sign> ( '>' ) 
character. All characters between these quoting characters shall be 
alphanumeric characters from the portable character set in the current 
locale, the <plus-sign> ( '+' ) character, or the <hyphen-minus> ( '-' ) 
character. The /std/ and /dst/ fields in this case shall not include the 
quoting characters.

Then the STD string might be "-02" and DST would be empty.  So, isalpha would 
wrongly fail on "-02" which could quite legitimately exist there.


Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.