summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFlorian Weimer <fweimer@redhat.com>2015-04-24 17:34:47 +0200
committerFlorian Weimer <fweimer@redhat.com>2015-04-24 17:34:48 +0200
commit42261ad731991df345880b0b509d83b0b9a9b9d8 (patch)
tree440bf43dca45a9002402ec602f0deaf3bfa6e3e3
parented159672eb3cd650a32b7e5cb4d5ec1fe0e63802 (diff)
downloadglibc-42261ad731991df345880b0b509d83b0b9a9b9d8.tar.gz
Make time zone file parser more robust [BZ #17715]
-rw-r--r--ChangeLog27
-rw-r--r--NEWS18
-rw-r--r--time/tzfile.c15
-rw-r--r--time/tzset.c401
-rw-r--r--timezone/Makefile6
-rw-r--r--timezone/README3
-rw-r--r--timezone/testdata/XT1bin0 -> 127 bytes
-rw-r--r--timezone/testdata/XT2bin0 -> 127 bytes
-rw-r--r--timezone/testdata/XT3bin0 -> 127 bytes
-rw-r--r--timezone/testdata/XT4bin0 -> 127 bytes
-rw-r--r--timezone/tst-tzset.c200
11 files changed, 456 insertions, 214 deletions
diff --git a/ChangeLog b/ChangeLog
index f515a2a43e..dbafd866f5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,32 @@
2015-04-24 Florian Weimer <fweimer@redhat.com>
+ [BZ #17715]
+ * time/tzfile.c (__tzfile_read): Check for large values of
+ tzh_ttisstdcnt and tzh_ttisgmtcnt. Use malloc instead of alloca.
+ * time/tzset.c (__tzstring_len): New function, based on the old
+ __tzstring function.
+ (__tzstring): Call __tzstring_len.
+ (parse_tzname): New helper function extracted from
+ __tzset_parse_tz. Call __tzstring_len, without making a copy of
+ the input string.
+ (parse_offset): New helper function extracted from
+ __tzset_parse_tz. Replace switch with fallthrough with
+ initialization before sscanf.
+ (parse_rule): Likewise.
+ (__tzset_parse_tz): Rewrite using the new helper functions. Use
+ new-style function definition.
+ * timezone/Makefile (tests): Add tst-tzset.
+ (tst-tzset.out): Dependencies on time zone files.
+ (tst-tzset-ENV): Set TZDIR.
+ (testdata/XT%): Copy crafted time zone files.
+ * timezone/README: Mention crafted time zone files.
+ * timezone/testdata/XT1, timezone/testdata/XT2,
+ timezone/testdata/XT3, timezone/testdata/XT4: New time zone test
+ files.
+ * timezone/tst-tzset.c: New test.
+
+2015-04-24 Florian Weimer <fweimer@redhat.com>
+
* Makeconfig (+gccwarn): Remove -Winline.
2015-04-24 Stefan Liebler <stli@linux.vnet.ibm.com>
diff --git a/NEWS b/NEWS
index a628b5aef9..6408bed542 100644
--- a/NEWS
+++ b/NEWS
@@ -11,12 +11,12 @@ Version 2.22
4719, 6792, 13064, 14094, 14841, 14906, 15319, 15467, 15790, 15969, 16351,
16512, 16560, 16783, 16850, 17090, 17195, 17269, 17523, 17542, 17569,
- 17588, 17596, 17620, 17621, 17628, 17631, 17711, 17776, 17779, 17792,
- 17836, 17912, 17916, 17930, 17932, 17944, 17949, 17964, 17965, 17967,
- 17969, 17978, 17987, 17991, 17996, 17998, 17999, 18019, 18020, 18029,
- 18030, 18032, 18036, 18038, 18039, 18042, 18043, 18046, 18047, 18068,
- 18080, 18093, 18100, 18104, 18110, 18111, 18128, 18138, 18185, 18197,
- 18206, 18210, 18211, 18247, 18287.
+ 17588, 17596, 17620, 17621, 17628, 17631, 17711, 17715, 17776, 17779,
+ 17792, 17836, 17912, 17916, 17930, 17932, 17944, 17949, 17964, 17965,
+ 17967, 17969, 17978, 17987, 17991, 17996, 17998, 17999, 18019, 18020,
+ 18029, 18030, 18032, 18036, 18038, 18039, 18042, 18043, 18046, 18047,
+ 18068, 18080, 18093, 18100, 18104, 18110, 18111, 18128, 18138, 18185,
+ 18197, 18206, 18210, 18211, 18247, 18287.
* Cache information can be queried via sysconf() function on s390 e.g. with
_SC_LEVEL1_ICACHE_SIZE as argument.
@@ -28,6 +28,12 @@ Version 2.22
potentially arbitrary code execution, using crafted, but syntactically
valid DNS responses. (CVE-2015-1781)
+* The time zone file parser has been made more robust against crafted time
+ zone files, avoiding heap buffer overflows related to the processing of
+ the tzh_ttisstdcnt and tzh_ttisgmtcnt fields, and a stack overflow due to
+ large time zone data files. Overly long time zone specifiers in the TZ
+ variable no longer result in stack overflows and crashes.
+
* A powerpc and powerpc64 optimization for TLS, similar to TLS descriptors
for LD and GD on x86 and x86-64, has been implemented. You will need
binutils-2.24 or later to enable this optimization.
diff --git a/time/tzfile.c b/time/tzfile.c
index bcb408fcdb..46d4fc71ae 100644
--- a/time/tzfile.c
+++ b/time/tzfile.c
@@ -200,6 +200,9 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
num_isstd = (size_t) decode (tzhead.tzh_ttisstdcnt);
num_isgmt = (size_t) decode (tzhead.tzh_ttisgmtcnt);
+ if (__glibc_unlikely (num_isstd > num_types || num_isgmt > num_types))
+ goto lose;
+
/* For platforms with 64-bit time_t we use the new format if available. */
if (sizeof (time_t) == 8 && trans_width == 4
&& tzhead.tzh_version[0] != '\0')
@@ -434,13 +437,21 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
goto lose;
tzspec_len = st.st_size - off - 1;
- char *tzstr = alloca (tzspec_len);
+ if (tzspec_len == 0)
+ goto lose;
+ char *tzstr = malloc (tzspec_len);
+ if (tzstr == NULL)
+ goto lose;
if (getc_unlocked (f) != '\n'
|| (__fread_unlocked (tzstr, 1, tzspec_len - 1, f)
!= tzspec_len - 1))
- goto lose;
+ {
+ free (tzstr);
+ goto lose;
+ }
tzstr[tzspec_len - 1] = '\0';
tzspec = __tzstring (tzstr);
+ free (tzstr);
}
/* Don't use an empty TZ string. */
diff --git a/time/tzset.c b/time/tzset.c
index 82324ca980..d115bae0be 100644
--- a/time/tzset.c
+++ b/time/tzset.c
@@ -18,6 +18,7 @@
#include <ctype.h>
#include <errno.h>
#include <bits/libc-lock.h>
+#include <stdbool.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
@@ -82,15 +83,14 @@ struct tzstring_l
static struct tzstring_l *tzstring_list;
-/* Allocate a permanent home for S. It will never be moved or deallocated,
- but may share space with other strings.
- Don't modify the returned string. */
-char *
-__tzstring (const char *s)
+/* Allocate a permanent home for the first LEN characters of S. It
+ will never be moved or deallocated, but may share space with other
+ strings. Don't modify the returned string. */
+static char *
+__tzstring_len (const char *s, size_t len)
{
char *p;
struct tzstring_l *t, *u, *new;
- size_t len = strlen (s);
/* Walk the list and look for a match. If this string is the same
as the end of an already-allocated string, it can share space. */
@@ -98,7 +98,7 @@ __tzstring (const char *s)
if (len <= t->len)
{
p = &t->data[t->len - len];
- if (strcmp (s, p) == 0)
+ if (memcmp (s, p, len) == 0)
return p;
}
@@ -109,7 +109,8 @@ __tzstring (const char *s)
new->next = NULL;
new->len = len;
- strcpy (new->data, s);
+ memcpy (new->data, s, len);
+ new->data[len] = '\0';
if (u)
u->next = new;
@@ -118,6 +119,15 @@ __tzstring (const char *s)
return new->data;
}
+
+/* Allocate a permanent home for S. It will never be moved or
+ deallocated, but may share space with other strings. Don't modify
+ the returned string. */
+char *
+__tzstring (const char *s)
+{
+ return __tzstring_len (s, strlen (s));
+}
/* Maximum length of a timezone name. tzset_internal keeps this up to date
(never decreasing it) when ! __use_tzfile.
@@ -164,234 +174,215 @@ compute_offset (unsigned int ss, unsigned int mm, unsigned int hh)
return min (ss, 59) + min (mm, 59) * 60 + min (hh, 24) * 60 * 60;
}
-
-/* Parse the POSIX TZ-style string. */
-void
-__tzset_parse_tz (tz)
- const char *tz;
+/* Parses the time zone name at *TZP, and writes a pointer to an
+ interned string to tz_rules[WHICHRULE].name. On success, advances
+ *TZP, and returns true. Returns false otherwise. */
+static bool
+parse_tzname (const char **tzp, int whichrule)
{
- unsigned short int hh, mm, ss;
-
- /* Clear out old state and reset to unnamed UTC. */
- memset (tz_rules, '\0', sizeof tz_rules);
- tz_rules[0].name = tz_rules[1].name = "";
-
- /* Get the standard timezone name. */
- char *tzbuf = strdupa (tz);
-
- int consumed;
- if (sscanf (tz, "%[A-Za-z]%n", tzbuf, &consumed) != 1)
+ const char *start = *tzp;
+ const char *p = start;
+ while (('a' <= *p && *p <= 'z')
+ || ('A' <= *p && *p <= 'Z'))
+ ++p;
+ size_t len = p - start;
+ if (len < 3)
{
- /* Check for the quoted version. */
- char *wp = tzbuf;
- if (__glibc_unlikely (*tz++ != '<'))
- goto out;
-
- while (isalnum (*tz) || *tz == '+' || *tz == '-')
- *wp++ = *tz++;
- if (__glibc_unlikely (*tz++ != '>' || wp - tzbuf < 3))
- goto out;
- *wp = '\0';
+ p = *tzp;
+ if (__glibc_unlikely (*p++ != '<'))
+ return false;
+ start = p;
+ while (('a' <= *p && *p <= 'z')
+ || ('A' <= *p && *p <= 'Z')
+ || ('0' <= *p && *p <= '9')
+ || *p == '+' || *p == '-')
+ ++p;
+ len = p - start;
+ if (*p++ != '>' || len < 3)
+ return false;
}
- else if (__glibc_unlikely (consumed < 3))
- goto out;
- else
- tz += consumed;
-
- tz_rules[0].name = __tzstring (tzbuf);
+ tz_rules[whichrule].name = __tzstring_len (start, len);
+ *tzp = p;
+ return true;
+}
- /* Figure out the standard offset from UTC. */
- if (*tz == '\0' || (*tz != '+' && *tz != '-' && !isdigit (*tz)))
- goto out;
+/* Parses the time zone offset at *TZP, and writes it to
+ tz_rules[WHICHRULE].offset. Returns true if the parse was
+ successful. */
+static bool
+parse_offset (const char **tzp, int whichrule)
+{
+ const char *tz = *tzp;
+ if (whichrule == 0
+ && (*tz == '\0' || (*tz != '+' && *tz != '-' && !isdigit (*tz))))
+ return false;
+ long sign;
if (*tz == '-' || *tz == '+')
- tz_rules[0].offset = *tz++ == '-' ? 1L : -1L;
+ sign = *tz++ == '-' ? 1L : -1L;
else
- tz_rules[0].offset = -1L;
- switch (sscanf (tz, "%hu%n:%hu%n:%hu%n",
- &hh, &consumed, &mm, &consumed, &ss, &consumed))
- {
- default:
- tz_rules[0].offset = 0;
- goto out;
- case 1:
- mm = 0;
- case 2:
- ss = 0;
- case 3:
- break;
- }
- tz_rules[0].offset *= compute_offset (ss, mm, hh);
- tz += consumed;
-
- /* Get the DST timezone name (if any). */
- if (*tz != '\0')
- {
- if (sscanf (tz, "%[A-Za-z]%n", tzbuf, &consumed) != 1)
- {
- /* Check for the quoted version. */
- char *wp = tzbuf;
- const char *rp = tz;
- if (__glibc_unlikely (*rp++ != '<'))
- /* Punt on name, set up the offsets. */
- goto done_names;
-
- while (isalnum (*rp) || *rp == '+' || *rp == '-')
- *wp++ = *rp++;
- if (__glibc_unlikely (*rp++ != '>' || wp - tzbuf < 3))
- /* Punt on name, set up the offsets. */
- goto done_names;
- *wp = '\0';
- tz = rp;
- }
- else if (__glibc_unlikely (consumed < 3))
- /* Punt on name, set up the offsets. */
- goto done_names;
+ sign = -1L;
+ *tzp = tz;
+
+ unsigned short int hh;
+ unsigned short mm = 0;
+ unsigned short ss = 0;
+ int consumed = 0;
+ if (sscanf (tz, "%hu%n:%hu%n:%hu%n",
+ &hh, &consumed, &mm, &consumed, &ss, &consumed) > 0)
+ tz_rules[whichrule].offset = sign * compute_offset (ss, mm, hh);
+ else
+ /* Nothing could be parsed. */
+ if (whichrule == 0)
+ {
+ /* Standard time defaults to offset zero. */
+ tz_rules[0].offset = 0;
+ return false;
+ }
else
- tz += consumed;
+ /* DST defaults to one hour later than standard time. */
+ tz_rules[1].offset = tz_rules[0].offset + (60 * 60);
+ *tzp = tz + consumed;
+ return true;
+}
- tz_rules[1].name = __tzstring (tzbuf);
+/* Parses the standard <-> DST rules at *TZP. Updates
+ tz_rule[WHICHRULE]. On success, advances *TZP and returns true.
+ Otherwise, returns false. */
+static bool
+parse_rule (const char **tzp, int whichrule)
+{
+ const char *tz = *tzp;
+ tz_rule *tzr = &tz_rules[whichrule];
- /* Figure out the DST offset from GMT. */
- if (*tz == '-' || *tz == '+')
- tz_rules[1].offset = *tz++ == '-' ? 1L : -1L;
- else
- tz_rules[1].offset = -1L;
+ /* Ignore comma to support string following the incorrect
+ specification in early POSIX.1 printings. */
+ tz += *tz == ',';
- switch (sscanf (tz, "%hu%n:%hu%n:%hu%n",
- &hh, &consumed, &mm, &consumed, &ss, &consumed))
+ /* Get the date of the change. */
+ if (*tz == 'J' || isdigit (*tz))
+ {
+ char *end;
+ tzr->type = *tz == 'J' ? J1 : J0;
+ if (tzr->type == J1 && !isdigit (*++tz))
+ return false;
+ unsigned long int d = strtoul (tz, &end, 10);
+ if (end == tz || d > 365)
+ return false;
+ if (tzr->type == J1 && d == 0)
+ return false;
+ tzr->d = d;
+ tz = end;
+ }
+ else if (*tz == 'M')
+ {
+ tzr->type = M;
+ int consumed;
+ if (sscanf (tz, "M%hu.%hu.%hu%n",
+ &tzr->m, &tzr->n, &tzr->d, &consumed) != 3
+ || tzr->m < 1 || tzr->m > 12
+ || tzr->n < 1 || tzr->n > 5 || tzr->d > 6)
+ return false;
+ tz += consumed;
+ }
+ else if (*tz == '\0')
+ {
+ /* Daylight time rules in the U.S. are defined in the U.S. Code,
+ Title 15, Chapter 6, Subchapter IX - Standard Time. These
+ dates were established by Congress in the Energy Policy Act
+ of 2005 [Pub. L. no. 109-58, 119 Stat 594 (2005)].
+ Below is the equivalent of "M3.2.0,M11.1.0" [/2 not needed
+ since 2:00AM is the default]. */
+ tzr->type = M;
+ if (tzr == &tz_rules[0])
{
- default:
- /* Default to one hour later than standard time. */
- tz_rules[1].offset = tz_rules[0].offset + (60 * 60);
- break;
-
- case 1:
- mm = 0;
- case 2:
- ss = 0;
- case 3:
- tz_rules[1].offset *= compute_offset (ss, mm, hh);
- tz += consumed;
- break;
+ tzr->m = 3;
+ tzr->n = 2;
+ tzr->d = 0;
}
- if (*tz == '\0' || (tz[0] == ',' && tz[1] == '\0'))
+ else
{
- /* There is no rule. See if there is a default rule file. */
- __tzfile_default (tz_rules[0].name, tz_rules[1].name,
- tz_rules[0].offset, tz_rules[1].offset);
- if (__use_tzfile)
- {
- free (old_tz);
- old_tz = NULL;
- return;
- }
+ tzr->m = 11;
+ tzr->n = 1;
+ tzr->d = 0;
}
}
else
+ return false;
+
+ if (*tz != '\0' && *tz != '/' && *tz != ',')
+ return false;
+ else if (*tz == '/')
{
- /* There is no DST. */
- tz_rules[1].name = tz_rules[0].name;
- tz_rules[1].offset = tz_rules[0].offset;
- goto out;
+ /* Get the time of day of the change. */
+ int negative;
+ ++tz;
+ if (*tz == '\0')
+ return false;
+ negative = *tz == '-';
+ tz += negative;
+ /* Default to 2:00 AM. */
+ unsigned short hh = 2;
+ unsigned short mm = 0;
+ unsigned short ss = 0;
+ int consumed = 0;
+ sscanf (tz, "%hu%n:%hu%n:%hu%n",
+ &hh, &consumed, &mm, &consumed, &ss, &consumed);;
+ tz += consumed;
+ tzr->secs = (negative ? -1 : 1) * ((hh * 60 * 60) + (mm * 60) + ss);
}
+ else
+ /* Default to 2:00 AM. */
+ tzr->secs = 2 * 60 * 60;
- done_names:
- /* Figure out the standard <-> DST rules. */
- for (unsigned int whichrule = 0; whichrule < 2; ++whichrule)
- {
- tz_rule *tzr = &tz_rules[whichrule];
+ tzr->computed_for = -1;
+ *tzp = tz;
+ return true;
+}
- /* Ignore comma to support string following the incorrect
- specification in early POSIX.1 printings. */
- tz += *tz == ',';
+/* Parse the POSIX TZ-style string. */
+void
+__tzset_parse_tz (const char *tz)
+{
+ /* Clear out old state and reset to unnamed UTC. */
+ memset (tz_rules, '\0', sizeof tz_rules);
+ tz_rules[0].name = tz_rules[1].name = "";
- /* Get the date of the change. */
- if (*tz == 'J' || isdigit (*tz))
- {
- char *end;
- tzr->type = *tz == 'J' ? J1 : J0;
- if (tzr->type == J1 && !isdigit (*++tz))
- goto out;
- unsigned long int d = strtoul (tz, &end, 10);
- if (end == tz || d > 365)
- goto out;
- if (tzr->type == J1 && d == 0)
- goto out;
- tzr->d = d;
- tz = end;
- }
- else if (*tz == 'M')
- {
- tzr->type = M;
- if (sscanf (tz, "M%hu.%hu.%hu%n",
- &tzr->m, &tzr->n, &tzr->d, &consumed) != 3
- || tzr->m < 1 || tzr->m > 12
- || tzr->n < 1 || tzr->n > 5 || tzr->d > 6)
- goto out;
- tz += consumed;
- }
- else if (*tz == '\0')
+ /* Get the standard timezone name. */
+ if (parse_tzname (&tz, 0) && parse_offset (&tz, 0))
+ {
+ /* Get the DST timezone name (if any). */
+ if (*tz != '\0')
{
- /* Daylight time rules in the U.S. are defined in the
- U.S. Code, Title 15, Chapter 6, Subchapter IX - Standard
- Time. These dates were established by Congress in the
- Energy Policy Act of 2005 [Pub. L. no. 109-58, 119 Stat 594
- (2005)].
- Below is the equivalent of "M3.2.0,M11.1.0" [/2 not needed
- since 2:00AM is the default]. */
- tzr->type = M;
- if (tzr == &tz_rules[0])
+ if (parse_tzname (&tz, 1))
{
- tzr->m = 3;
- tzr->n = 2;
- tzr->d = 0;
- }
- else
- {
- tzr->m = 11;
- tzr->n = 1;
- tzr->d = 0;
+ parse_offset (&tz, 1);
+ if (*tz == '\0' || (tz[0] == ',' && tz[1] == '\0'))
+ {
+ /* There is no rule. See if there is a default rule
+ file. */
+ __tzfile_default (tz_rules[0].name, tz_rules[1].name,
+ tz_rules[0].offset, tz_rules[1].offset);
+ if (__use_tzfile)
+ {
+ free (old_tz);
+ old_tz = NULL;
+ return;
+ }
+ }
}
+ /* Figure out the standard <-> DST rules. */
+ if (parse_rule (&tz, 0))
+ parse_rule (&tz, 1);
}
else
- goto out;
-
- if (*tz != '\0' && *tz != '/' && *tz != ',')
- goto out;
- else if (*tz == '/')
{
- /* Get the time of day of the change. */
- int negative;
- ++tz;
- if (*tz == '\0')
- goto out;
- negative = *tz == '-';
- tz += negative;
- consumed = 0;
- switch (sscanf (tz, "%hu%n:%hu%n:%hu%n",
- &hh, &consumed, &mm, &consumed, &ss, &consumed))
- {
- default:
- hh = 2; /* Default to 2:00 AM. */
- case 1:
- mm = 0;
- case 2:
- ss = 0;
- case 3:
- break;
- }
- tz += consumed;
- tzr->secs = (negative ? -1 : 1) * ((hh * 60 * 60) + (mm * 60) + ss);
+ /* There is no DST. */
+ tz_rules[1].name = tz_rules[0].name;
+ tz_rules[1].offset = tz_rules[0].offset;
}
- else
- /* Default to 2:00 AM. */
- tzr->secs = 2 * 60 * 60;
-
- tzr->computed_for = -1;
}
- out:
update_vars ();
}
diff --git a/timezone/Makefile b/timezone/Makefile
index 17424b8103..5f185458bc 100644
--- a/timezone/Makefile
+++ b/timezone/Makefile
@@ -25,7 +25,7 @@ include ../Makeconfig
extra-objs := scheck.o ialloc.o
others := zdump zic
-tests := test-tz tst-timezone
+tests := test-tz tst-timezone tst-tzset
# pacificnew doesn't compile; if it is to be used, it should be included in
# northamerica.
@@ -90,9 +90,11 @@ $(objpfx)tst-timezone.out: $(addprefix $(testdata)/, \
Australia/Melbourne \
America/Sao_Paulo Asia/Tokyo \
Europe/London)
+$(objpfx)tst-tzset.out: $(addprefix $(testdata)/XT, 1 2 3 4)
test-tz-ENV = TZDIR=$(testdata)
tst-timezone-ENV = TZDIR=$(testdata)
+tst-tzset-ENV = TZDIR=$(testdata)
# Note this must come second in the deps list for $(built-program-cmd) to work.
zic-deps = $(objpfx)zic $(leapseconds) yearistype
@@ -114,6 +116,8 @@ $(testdata)/America/Sao_Paulo: southamerica $(zic-deps)
$(testdata)/Asia/Tokyo: asia $(zic-deps)
$(build-testdata)
+$(testdata)/XT%: testdata/XT%
+ cp $< $@
$(objpfx)tzselect: tzselect.ksh $(common-objpfx)config.make
sed -e 's|/bin/bash|$(BASH)|' \
diff --git a/timezone/README b/timezone/README
index 7a5e31ce42..2268f8ec85 100644
--- a/timezone/README
+++ b/timezone/README
@@ -15,3 +15,6 @@ version of the tzcode and tzdata packages.
These packages may be found at ftp://ftp.iana.org/tz/releases/. Commentary
should be addressed to tz@iana.org.
+
+The subdirectory testdata contains manually edited data files for
+regression testing purposes.
diff --git a/timezone/testdata/XT1 b/timezone/testdata/XT1
new file mode 100644
index 0000000000..67d7ee0ba5
--- /dev/null
+++ b/timezone/testdata/XT1
Binary files differ
diff --git a/timezone/testdata/XT2 b/timezone/testdata/XT2
new file mode 100644
index 0000000000..069189e349
--- /dev/null
+++ b/timezone/testdata/XT2
Binary files differ
diff --git a/timezone/testdata/XT3 b/timezone/testdata/XT3
new file mode 100644
index 0000000000..fbf5efff9e
--- /dev/null
+++ b/timezone/testdata/XT3
Binary files differ
diff --git a/timezone/testdata/XT4 b/timezone/testdata/XT4
new file mode 100644
index 0000000000..990a9763da
--- /dev/null
+++ b/timezone/testdata/XT4
Binary files differ
diff --git a/timezone/tst-tzset.c b/timezone/tst-tzset.c
new file mode 100644
index 0000000000..aefcc765dd
--- /dev/null
+++ b/timezone/tst-tzset.c
@@ -0,0 +1,200 @@
+/* tzset tests with crafted time zone data.
+ Copyright (C) 2015 Free Software Foundation, Inc.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#define _GNU_SOURCE 1
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/resource.h>
+#include <time.h>
+#include <unistd.h>
+
+static int do_test (void);
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
+
+/* Returns the name of a large TZ file. */
+static char *
+create_tz_file (off64_t size)
+{
+ char *path;
+ int fd = create_temp_file ("tst-tzset-", &path);
+ if (fd < 0)
+ exit (1);
+
+ // Reopen for large-file support.
+ close (fd);
+ fd = open64 (path, O_WRONLY);
+ if (fd < 0)
+ {
+ printf ("open64 (%s) failed: %m\n", path);
+ exit (1);
+ }
+
+ static const char data[] = {
+ 0x54, 0x5a, 0x69, 0x66, 0x32, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x58, 0x54, 0x47, 0x00, 0x00, 0x00,
+ 0x54, 0x5a, 0x69, 0x66, 0x32, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x04, 0xf8, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x58, 0x54, 0x47, 0x00, 0x00,
+ 0x00, 0x0a, 0x58, 0x54, 0x47, 0x30, 0x0a
+ };
+ ssize_t ret = write (fd, data, sizeof (data));
+ if (ret < 0)
+ {
+ printf ("write failed: %m\n");
+ exit (1);
+ }
+ if ((size_t) ret != sizeof (data))
+ {
+ printf ("Short write\n");
+ exit (1);
+ }
+ if (lseek64 (fd, size, SEEK_CUR) < 0)
+ {
+ printf ("lseek failed: %m\n");
+ close (fd);
+ return NULL;
+ }
+ if (write (fd, "", 1) != 1)
+ {
+ printf ("Single-byte write failed\n");
+ close (fd);
+ return NULL;
+ }
+ if (close (fd) != 0)
+ {
+ printf ("close failed: %m\n");
+ exit (1);
+ }
+ return path;
+}
+
+static void
+test_tz_file (off64_t size)
+{
+ char *path = create_tz_file (size);
+ if (setenv ("TZ", path, 1) < 0)
+ {
+ printf ("setenv failed: %m\n");
+ exit (1);
+ }
+ tzset ();
+ free (path);
+}
+
+static int
+do_test (void)
+{
+ /* Limit the size of the process. Otherwise, some of the tests will
+ consume a lot of resources. */
+ {
+ struct rlimit limit;
+ if (getrlimit (RLIMIT_AS, &limit) != 0)
+ {
+ printf ("getrlimit (RLIMIT_AS) failed: %m\n");
+ return 1;
+ }
+ long target = 512 * 1024 * 1024;
+ if (limit.rlim_cur == RLIM_INFINITY || limit.rlim_cur > target)
+ {
+ limit.rlim_cur = 512 * 1024 * 1024;
+ if (setrlimit (RLIMIT_AS, &limit) != 0)
+ {
+ printf ("setrlimit (RLIMIT_AS) failed: %m\n");
+ return 1;
+ }
+ }
+ }
+
+ int errors = 0;
+ for (int i = 1; i <= 4; ++i)
+ {
+ char tz[16];
+ snprintf (tz, sizeof (tz), "XT%d", i);
+ if (setenv ("TZ", tz, 1) < 0)
+ {
+ printf ("setenv failed: %m\n");
+ return 1;
+ }
+ tzset ();
+ if (strcmp (tzname[0], tz) == 0)
+ {
+ printf ("Unexpected success for %s\n", tz);
+ ++errors;
+ }
+ }
+
+ /* Large TZ files. */
+
+ /* This will succeed on 64-bit architectures, and fail on 32-bit
+ architectures. It used to crash on 32-bit. */
+ test_tz_file (64 * 1024 * 1024);
+
+ /* This will fail on 64-bit and 32-bit architectures. It used to
+ cause a test timeout on 64-bit and crash on 32-bit if the TZ file
+ open succeeded for some reason (it does not use O_LARGEFILE in
+ regular builds). */
+ test_tz_file (4LL * 1024 * 1024 * 1024 - 6);
+
+ /* Large TZ variables. */
+ {
+ size_t length = 64 * 1024 * 1024;
+ char *value = malloc (length + 1);
+ if (value == NULL)
+ {
+ puts ("malloc failed: %m");
+ return 1;
+ }
+ value[length] = '\0';
+
+ memset (value, ' ', length);
+ value[0] = 'U';
+ value[1] = 'T';
+ value[2] = 'C';
+ if (setenv ("TZ", value, 1) < 0)
+ {
+ printf ("setenv failed: %m\n");
+ return 1;
+ }
+ tzset ();
+
+ memset (value, '0', length);
+ value[0] = '<';
+ value[length - 1] = '>';
+ if (setenv ("TZ", value, 1) < 0)
+ {
+ printf ("setenv failed: %m\n");
+ return 1;
+ }
+ tzset ();
+ }
+
+ return errors > 0;
+}