Problem reported by GitHub user rootvector2.
* NEWS: Mention this.
* zic.c (outzone): Increase envvar len max.
---
NEWS | 5 +++++
zic.c | 6 +++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/NEWS b/NEWS
index 905a086d..d4ba011b 100644
--- a/NEWS
+++ b/NEWS
@@ -23,6 +23,11 @@ Unreleased, experimental changes
zic no longer mishandles a last transition to a new time type.
+ zic no longer overflows a buffer when generating a TZ string like
+ "PST-167:59:58PDT-167:59:59,M11.5.6/-167:59:59,M12.5.6/-167:59:59",
+ which can occur with adversarial input. (Thanks to GitHub
+ user rootvector2.)
+
Release 2026a - 2026-03-01 22:59:49 -0800
diff --git a/zic.c b/zic.c
index 225ad419..77396228 100644
--- a/zic.c
+++ b/zic.c
@@ -3416,12 +3416,16 @@ outzone(const struct zone *zpfirst, ptrdiff_t zonecount)
int nonTZlimtype = -1;
zic_t max_year0;
int defaulttype = -1;
+ int max_stringoffset_len = sizeof "-167:59:59" - 1;
+ int max_comma_stringrule_len = (sizeof ",M12.5.6/" - 1
+ + max_stringoffset_len);
check_for_signal();
/* This cannot overflow; see FORMAT_LEN_GROWTH_BOUND. */
max_abbr_len = 2 + max_format_len + max_abbrvar_len;
- max_envvar_len = 2 * max_abbr_len + 5 * 9;
+ max_envvar_len = 2 * (max_abbr_len + max_stringoffset_len
+ + max_comma_stringrule_len);
startbuf = xmalloc(max_abbr_len + 1);
ab = xmalloc(max_abbr_len + 1);
--
2.51.0
