Hi On Mon, Dec 15, 2014 at 1:08 PM, Martin Pitt <[email protected]> wrote: > Martin Pitt [2014-12-15 12:50 +0100]: >> #7 0x5659c185 in time_get_dst (date=1418644009, tzfile=0x5659e9ee >> "/etc/localtime", switch_cur=0xffffd81c, zone_cur=0xffffd810, >> dst_cur=0xffffd809, switch_next=0xffffd824, delta_next=0xffffd820, >> zone_next=0xffffd814, dst_next=0xffffd80a) >> at src/shared/time-dst.c:104 >> at src/shared/time-dst.c:104 >> type_idxs = 0x565b98d8 "" >> num_types = 1 >> types = 0x565b98d8 >> zone_names = 0x565b98e0 "UTC" >> st = {st_dev = 40, __pad1 = 348, __st_ino = 351284, st_mode = 33188, >> st_nlink = 1, st_uid = 0, st_gid = 0, st_rdev = 0, >> __pad2 = 4, st_size = 118, st_blksize = 4096, st_blocks = 8, >> st_atim = {tv_sec = 1418641254, tv_nsec = 924653672}, >> st_mtim = {tv_sec = 1418641254, tv_nsec = 920653672}, st_ctim = >> {tv_sec = 1418641254, tv_nsec = 920653672}, >> st_ino = 351284} >> num_isstd = 1 >> num_isgmt = 1 >> tzhead = {tzh_magic = "TZif", tzh_version = "2", tzh_reserved = >> '\000' <repeats 14 times>, >> tzh_ttisgmtcnt = "\000\000\000\001", tzh_ttisstdcnt = >> "\000\000\000\001", tzh_leapcnt = "\000\000\000", >> tzh_timecnt = "\000\000\000", tzh_typecnt = "\000\000\000\001", >> tzh_charcnt = "\000\000\000\004"} >> chars = 4 >> i = 1 >> total_size = 12 >> types_idx = 0 >> trans_width = 4 >> tzspec_len = 0 >> num_leaps = 0 >> lo = 4294956851 >> hi = 1 >> num_transitions = 0 >> transitions = 0x565b98d8 >> f = 0x565b9970 > > To clarify: > > 186 transitions = malloc0(total_size + tzspec_len); > > transitions gets 12 bytes allocated (see above frame for values of > variables). > > 192 types = (struct ttinfo *)((char *)transitions + types_idx); > > As types_idx == 0, types == transitions, thus 12 bytes long. > > 193 zone_names = (char *)types + num_types * sizeof(struct ttinfo); > > num_types == 1, thus zone_names == types + 8, i. e. zone_names is 4 > bytes. chars is 4 bytes, thus > > 247 zone_names[chars] = '\0'; > > writes at zone_names[4] aka transitions[12] which is one byte past the > allocated buffer. > > I think the most robust solution would be to just allocate an extra > byte so that we can always actually fit that null byte. Does that > sound ok?
Nice catch! Applied! Thanks David _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
