printing: avoid crash in LPRng_time

If the string is too shhort we don't want to atoi() whatever is beyond the end of it. Found using Honggfuzz and the fuzz_parse_lpq_entry fuzzer. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Jul 5 05:07:13 UTC 2021 on sn-devel-184
author: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 2021-05-05 14:55:47 +0000
committer: Andrew Bartlett <abartlet@samba.org> 2021-07-05 05:07:13 +0000
commit: fc267567a072c9483bbcc5cc18e150244bc5376b (patch)
tree: 213493958f35ce3e2c0b615de5b28a7a3e54213f
parent: 16c28b367d9edc760e62949f0eef34b8046ece75 (diff)
download: samba-fc267567a072c9483bbcc5cc18e150244bc5376b.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/source3/printing/lpq_parse.c b/source3/printing/lpq_parse.c
index f016707c088..335bc7f4e75 100644
--- a/source3/printing/lpq_parse.c
+++ b/source3/printing/lpq_parse.c
@@ -223,10 +223,16 @@ static time_t LPRng_time(char *time_string)
 	}
 
 	if ( atoi(time_string) < 24 ){
+		if (strlen(time_string) < 7) {
+			return (time_t)-1;
+		}
 		t->tm_hour = atoi(time_string);
 		t->tm_min = atoi(time_string+3);
 		t->tm_sec = atoi(time_string+6);
 	} else {
+		if (strlen(time_string) < 18) {
+			return (time_t)-1;
+		}
 		t->tm_year = atoi(time_string)-1900;
 		t->tm_mon = atoi(time_string+5)-1;
 		t->tm_mday = atoi(time_string+8);
author	Douglas Bagnall <douglas.bagnall@catalyst.net.nz>	2021-05-05 14:55:47 +0000
committer	Andrew Bartlett <abartlet@samba.org>	2021-07-05 05:07:13 +0000
commit	fc267567a072c9483bbcc5cc18e150244bc5376b (patch)
tree	213493958f35ce3e2c0b615de5b28a7a3e54213f
parent	16c28b367d9edc760e62949f0eef34b8046ece75 (diff)
download	samba-fc267567a072c9483bbcc5cc18e150244bc5376b.tar.gz