printing: avoid crash in LPRng_time

If the string is too shhort we don't want to atoi() whatever is beyond the end of it. Found using Honggfuzz and the fuzz_parse_lpq_entry fuzzer. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Jul 5 05:07:13 UTC 2021 on sn-devel-184
smokey57 · Jul 5, 2021 · fc26756 · fc26756
1 parent 16c28b3
commit fc26756
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/source3/printing/lpq_parse.c b/source3/printing/lpq_parse.c
@@ -223,10 +223,16 @@ static time_t LPRng_time(char *time_string)
 	}
 
 	if ( atoi(time_string) < 24 ){
+		if (strlen(time_string) < 7) {
+			return (time_t)-1;
+		}
 		t->tm_hour = atoi(time_string);
 		t->tm_min = atoi(time_string+3);
 		t->tm_sec = atoi(time_string+6);
 	} else {
+		if (strlen(time_string) < 18) {
+			return (time_t)-1;
+		}
 		t->tm_year = atoi(time_string)-1900;
 		t->tm_mon = atoi(time_string+5)-1;
 		t->tm_mday = atoi(time_string+8);