Date: Sat, 30 Jan 2010 21:22:41 +0000 (UTC) From: Edwin Groothuis <edwin@mavetju.org> Message-ID: <loom.20100130T221814-351@post.gmane.org> | I don't know if these are FreeBSD specific, They aren't. | but the following ones take the | "struct tm *" without checking the values neither: | | * time1() via mktime(), gmtime(). Those are OK, that "struct tm" comes from the user, if the user wants their program to crash, they can pass in any bogus value they want. The only internal calls of those functions I can see (eg: from in strftime()) never pass a NULL value in (since the struct tm there is the starting point, it is typically explicitly allocated (declared as a variable) rather than obtained from one of the other functions). | * asctime_r(). Yes, that's the one (the asctime() variant interface isn't interesting itself) - technically asctime() (or asctime_r()) shouldn't need to verify its input parameters either - it is only because it is called internally that makes me suggest it (and which is why the problem could also be fixed in ctime()). I'm suggesting adding this check into asctime() (into asctime_r() really of course) because code like is in ctime() has been a programming idiom on unix systems for almost 40 years now - there will be lots of code that simply assumes that localtime() (etc) cannot fail, and so does asctime(localtime(&t)) or similar. kre