diff --git a/CHANGELOG.md b/CHANGELOG.md index febe71ecd..26c8b842f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ - core: fix integer overflow with decimal numbers in calculation of expression - core: fix integer overflow in base32 encoding/decoding - core: fix integer overflow in function util_version_number +- core: fix buffer overflow in function util_parse_time - core: fix memory leak in function util_parse_delay ## Version 4.6.2 (2025-04-18) diff --git a/src/core/core-util.c b/src/core/core-util.c index b232e9cb6..9cac5ee47 100644 --- a/src/core/core-util.c +++ b/src/core/core-util.c @@ -285,7 +285,8 @@ util_strftimeval (char *string, int max, const char *format, struct timeval *tv) int util_parse_time (const char *datetime, struct timeval *tv) { - char *string, *pos, *pos2, str_usec[16], *error, str_date[128]; + char *string, *pos, *pos2, str_usec[16], *error; + char str_date[128], str_date2[256]; struct tm tm_date, tm_date_gm, tm_date_local, *local_time; time_t time_now, time_gm, time_local; long long value; @@ -445,10 +446,10 @@ util_parse_time (const char *datetime, struct timeval *tv) local_time = localtime (&time_now); strftime (str_date, sizeof (str_date), "%Y-%m-%dT", local_time); - strcat (str_date, string); + snprintf (str_date2, sizeof (str_date2), "%s%s", str_date, string); /* initialize structure, because strptime does not do it */ memset (&tm_date, 0, sizeof (struct tm)); - pos = strptime (str_date, "%Y-%m-%dT%H:%M:%S", &tm_date); + pos = strptime (str_date2, "%Y-%m-%dT%H:%M:%S", &tm_date); if (pos) { if (use_local_time)