From 9dfa81a00a9a7d4536f96848119c5ad40d9d72b4 Mon Sep 17 00:00:00 2001
From: Douglas Christman <DouglasChristman@gmail.com>
Date: Thu, 24 Nov 2016 12:47:55 -0500
Subject: calendarspec: reject strings with spurious spaces and signs

strtoul() parses leading whitespace and an optional sign;
check that the first character is a digit to prevent odd
specifications like "00:  00:  00" and "-00:+00/-1".
---
 src/basic/calendarspec.c     | 4 ++++
 src/test/test-calendarspec.c | 3 +++
 2 files changed, 7 insertions(+)

(limited to 'src')

diff --git a/src/basic/calendarspec.c b/src/basic/calendarspec.c
index eef4ed5240..1555230e30 100644
--- a/src/basic/calendarspec.c
+++ b/src/basic/calendarspec.c
@@ -18,6 +18,7 @@
 ***/
 
 #include <alloca.h>
+#include <ctype.h>
 #include <errno.h>
 #include <stddef.h>
 #include <stdio.h>
@@ -458,6 +459,9 @@ static int parse_component_decimal(const char **p, bool usec, unsigned long *res
         char *ee = NULL;
         int r;
 
+        if (!isdigit(**p))
+                return -EINVAL;
+
         errno = 0;
         value = strtoul(*p, &ee, 10);
         if (errno > 0)
diff --git a/src/test/test-calendarspec.c b/src/test/test-calendarspec.c
index 93414c8508..873a4910d2 100644
--- a/src/test/test-calendarspec.c
+++ b/src/test/test-calendarspec.c
@@ -216,6 +216,9 @@ int main(int argc, char* argv[]) {
         assert_se(calendar_spec_from_string("*-*~5/5", &c) < 0);
         assert_se(calendar_spec_from_string("Monday.. 12:00", &c) < 0);
         assert_se(calendar_spec_from_string("Monday..", &c) < 0);
+        assert_se(calendar_spec_from_string("-00:+00/-5", &c) < 0);
+        assert_se(calendar_spec_from_string("00:+00/-5", &c) < 0);
+        assert_se(calendar_spec_from_string("2016- 11- 24 12: 30: 00", &c) < 0);
 
         test_timestamp();
         test_hourly_bug_4031();
-- 
cgit v1.2.3-54-g00ecf