Add range assertions to asctime_r()

18a12c6c · Peter Limkilde Svendsen · 2ed55a92 · 18a12c6c
Commit 18a12c6c authored 4 years ago by Peter Limkilde Svendsen
--- a/src/header/time/mod.rs
+++ b/src/header/time/mod.rs
@@ -79,18 +79,66 @@ pub unsafe extern "C" fn asctime(timeptr: *const tm) -> *mut c_char {
 #[no_mangle]
 pub unsafe extern "C" fn asctime_r(tm: *const tm, buf: *mut c_char) -> *mut c_char {
-    let tm = &*tm;
+    let tm_sec = (*tm).tm_sec;
+    let tm_min = (*tm).tm_min;
+    let tm_hour = (*tm).tm_hour;
+    let tm_mday = (*tm).tm_mday;
+    let tm_mon = (*tm).tm_mon;
+    let tm_year = (*tm).tm_year;
+    let tm_wday = (*tm).tm_wday;
+    /* Panic when we run into undefined behavior.
+     *
+     * POSIX says (since issue 7) that asctime()/asctime_r() cause UB
+     * when the tm member values would cause out-of-bounds array access
+     * or overflow the output buffer. This contrasts with ISO C11+,
+     * which specifies UB for any tm members being outside their normal
+     * ranges. While POSIX explicitly defers to the C standard in case
+     * of contradictions, the assertions below follow the interpretation
+     * that POSIX simply defines some of C's undefined behavior, rather
+     * than conflict with the ISO standard.
+     *
+     * Note that C's "%.2d" formatting, unlike Rust's "{:02}"
+     * formatting, does not count a minus sign against the two digits to
+     * print, meaning that we must reject all negative values for
+     * seconds, minutes and hours. However, C's "%3d" (for day-of-month)
+     * is similar to Rust's "{:3}".
+     *
+     * To avoid year overflow problems (in Rust, where numeric overflow
+     * is considered an error), we subtract 1900 from the endpoints,
+     * rather than adding to the tm_year value. POSIX' requirement that
+     * tm_year be at most {INT_MAX}-1990 is satisfied for all legal
+     * values of {INT_MAX} through the max-4-digit requirement on the
+     * year.
+     *
+     * The tm_mon and tm_wday fields are used for array access and thus
+     * will already cause a panic in Rust code when out of range.
+     * However, using the assertions below allows a consistent error
+     * message for all fields. */
+    const OUT_OF_RANGE_MESSAGE: &str = "tm member out of range";
+    assert!(0 <= tm_sec && tm_sec <= 99, OUT_OF_RANGE_MESSAGE);
+    assert!(0 <= tm_min && tm_min <= 99, OUT_OF_RANGE_MESSAGE);
+    assert!(0 <= tm_hour && tm_hour <= 99, OUT_OF_RANGE_MESSAGE);
+    assert!(-99 <= tm_mday && tm_mday <= 999, OUT_OF_RANGE_MESSAGE);
+    assert!(0 <= tm_mon && tm_mon <= 11, OUT_OF_RANGE_MESSAGE);
+    assert!(
+        -999 - 1900 <= tm_year && tm_year <= 9999 - 1900,
+        OUT_OF_RANGE_MESSAGE
+    );
+    assert!(0 <= tm_wday && tm_wday <= 6, OUT_OF_RANGE_MESSAGE);
    let result = core::fmt::write(
        &mut platform::UnsafeStringWriter(buf as *mut u8),
        format_args!(
            "{:.3} {:.3}{:3} {:02}:{:02}:{:02} {}\n",
-            DAY_NAMES[tm.tm_wday as usize],
+            DAY_NAMES[tm_wday as usize],
-            MON_NAMES[tm.tm_mon as usize],
+            MON_NAMES[tm_mon as usize],
-            tm.tm_mday as usize,
+            tm_mday as usize,
-            tm.tm_hour as usize,
+            tm_hour as usize,
-            tm.tm_min as usize,
+            tm_min as usize,
-            tm.tm_sec as usize,
+            tm_sec as usize,
-            (1900 + tm.tm_year)
+            (1900 + tm_year)
        ),
    );
    match result {