Problem reported by GitHub user rootvector2. * NEWS: Mention this. * zic.c (outzone): Increase envvar len max. --- NEWS | 5 +++++ zic.c | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 905a086d..d4ba011b 100644 --- a/NEWS +++ b/NEWS @@ -23,6 +23,11 @@ Unreleased, experimental changes zic no longer mishandles a last transition to a new time type. + zic no longer overflows a buffer when generating a TZ string like + "PST-167:59:58PDT-167:59:59,M11.5.6/-167:59:59,M12.5.6/-167:59:59", + which can occur with adversarial input. (Thanks to GitHub + user rootvector2.) + Release 2026a - 2026-03-01 22:59:49 -0800 diff --git a/zic.c b/zic.c index 225ad419..77396228 100644 --- a/zic.c +++ b/zic.c @@ -3416,12 +3416,16 @@ outzone(const struct zone *zpfirst, ptrdiff_t zonecount) int nonTZlimtype = -1; zic_t max_year0; int defaulttype = -1; + int max_stringoffset_len = sizeof "-167:59:59" - 1; + int max_comma_stringrule_len = (sizeof ",M12.5.6/" - 1 + + max_stringoffset_len); check_for_signal(); /* This cannot overflow; see FORMAT_LEN_GROWTH_BOUND. */ max_abbr_len = 2 + max_format_len + max_abbrvar_len; - max_envvar_len = 2 * max_abbr_len + 5 * 9; + max_envvar_len = 2 * (max_abbr_len + max_stringoffset_len + + max_comma_stringrule_len); startbuf = xmalloc(max_abbr_len + 1); ab = xmalloc(max_abbr_len + 1); -- 2.51.0