[ros-dev] [ros-diffs] [gschneider] 42402: asctime/ctime: Check for too low input time, fixes one msvcrt time winetest

Wed Aug 5 04:52:43 CEST 2009

Hi,
First of all, are you sure that this code is mature enough to care
about minor details? I would say, "@implemented" has been added by
mistake.

About this commit: I tried to call asctime from glibc-2.8 on Linux,
but tm_year=9 works fine (resulting in 1909). I know, it is not
msvcrt. But I don't see any good reason to not allow years before
1970. Furthermore, I'm sure, this function was once introduced to just
transform a date to human-readable format, and it shouldn't care about
the date. Btw, MSDN says nothing

Another tricky question is: How is the UNIX epoch connected with
Reactos (or Windows)?

About 'asctime': it might be holy, but it's "holey". It doesn't even
check the month and the day of week to fit the ranges 0..11 and 0..6
correspondingly.

So, please, fix the security problems first, and then revert this commit ;)

2009/8/4  <gschneider at svn.reactos.org>:
> Author: gschneider
> Date: Wed Aug  5 04:06:25 2009
> New Revision: 42402
>
> URL: http://svn.reactos.org/svn/reactos?rev=42402&view=rev
> Log:
> asctime/ctime: Check for too low input time, fixes one msvcrt time winetest
>
> Modified:
>    trunk/reactos/lib/sdk/crt/time/ctime.c
>
> Modified: trunk/reactos/lib/sdk/crt/time/ctime.c
> URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/sdk/crt/time/ctime.c?rev=42402&r1=42401&r2=42402&view=diff
> ==============================================================================
> --- trunk/reactos/lib/sdk/crt/time/ctime.c [iso-8859-1] (original)
> +++ trunk/reactos/lib/sdk/crt/time/ctime.c [iso-8859-1] Wed Aug  5 04:06:25 2009
> @@ -1200,14 +1200,23 @@
>     "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
>   };
>   static char result[26];
> -
> -  (void) sprintf(result, "%.3s %.3s%3d %02d:%02d:%02d %d\n",
> -         wday_name[timeptr->tm_wday],
> -         mon_name[timeptr->tm_mon],
> -         timeptr->tm_mday, timeptr->tm_hour,
> -         timeptr->tm_min, timeptr->tm_sec,
> -         TM_YEAR_BASE + timeptr->tm_year);
> -  return result;
> +  char* res = result;
> +
> +  /* Check for invalid input time */
> +  if (timeptr->tm_year <= 69)
> +  {
> +    res = NULL;
> +  }
> +  else
> +  {
> +    sprintf(res, "%.3s %.3s%3d %02d:%02d:%02d %d\n",
> +            wday_name[timeptr->tm_wday],
> +            mon_name[timeptr->tm_mon],
> +            timeptr->tm_mday, timeptr->tm_hour,
> +            timeptr->tm_min, timeptr->tm_sec,
> +            TM_YEAR_BASE + timeptr->tm_year);
> +  }
> +  return res;
>  }
>
>  /*
>
>
>