"Roy T. Fielding" <[EMAIL PROTECTED]> writes:
> On Monday, March 22, 2004, at 04:00 PM, Philip Martin wrote:
>> This code in apr_time_exp_get:
>>
>> year = xt->tm_year;
>> if (year < 70 || ((sizeof(time_t) <= 4) && (year >= 138))) {
>> return APR_EBADDATE;
>> }
>>
>> rejects all 2038 dates even though all the 2038 dates up to
>> 2038-01-19T03:14:07.000000Z will fit into a 32-bit time_t.
>> apr_time_exp_gmt doesn't reject these dates.
>
> Another bug due to a sloppy change from time_t to apr_time_t.
> Change days to apr_time_t and remove the above conditional
> (the case of year < 70 is already handled a few lines below).
Is the function supposed to validate it's input? If the user supplies
a large, positive or negative, value for xt->tm_year then the
calculation may overflow. If the user supplies an xt->tm_mon outside
the range 0-11 the function will read arbitrary memory.
--
Philip Martin
