---
- branch: MAIN
  date: Sun Apr 21 08:56:49 UTC 2024
  files:
  - new: '1.1103'
    old: '1.1102'
    path: src/usr.bin/make/var.c
    pathrev: src/usr.bin/make/var.c@1.1103
    type: modified
  id: 20240421T085649Z.6968bf70106744e43e49ce6bd1258e744ab7a12f
  log: |
    make: fix out-of-bounds read when evaluating :gmtime and :localtime

    The function TryParseTime takes a pointer to a string, but the LazyBuf
    returns a Substring, which is not guaranteed to be null-terminated or
    delimited.  In TryParseTime, calling strtoul on the Substring read past
    the end of the substring.

    Noticed in the NetBSD build in libntp, where the :gmtime modifier is
    used in two places with the same timestamp value, of which the first was
    evaluated correctly and the second wasn't.

    The bug was introduced in var.c 1.1050 from 2023-05-09, when the
    argument of the :gmtime and :localtime modifiers was allowed to be an
    expression instead of an integer constant.
  module: src
  subject: 'CVS commit: src/usr.bin/make'
  unixtime: '1713689809'
  user: rillig