[PATCH 04/19] Fixed Savannah bug #23663, crash in some locales for find -printf '%AX'

[James Youngman]

---
 ChangeLog   |    6 ++++++
 NEWS        |    5 +++++
 find/pred.c |    5 +++--
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index fb8d234..259fd66 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,12 @@
 
 2009-04-10  James Youngman  <address@hidden>
 
+       Backport fix for Savannah bug #23663, crash in some locales for %AX.
+       * find/pred.c (do_time_format): Fix off-by-one error in handling
+       of the buffer used to print timestamps.   This caused a crash in
+       some locales when handling the %AX format specifier.
+       * NEWS: Mention this bugfix.
+
        Fix bug #22662 (backport from 4.5.x)
        * find/pred.c (scan_for_digit_differences): Remember that we saw
        the first differing digit and also get the order of the
diff --git a/NEWS b/NEWS
index 8cc4dc4..97c3deb 100644
--- a/NEWS
+++ b/NEWS
@@ -9,10 +9,15 @@ versions of the AIX C compiler), find's regular expression
 implementation fails to support case-insensitive regular expression
 matching, causing -iregex to behave like -regex.  This is now fixed.
 
+
 #23070: Corrected manpage description of find -perm /000 (the change
 was already made but the manpage indicated the change would happen
 "soon"). 
 
+#23663: crash in some locales for -printf %AX (this problem seems to
+have affected only the CVS code for 4.5.x, and not any public
+releases, but it was a problem with the original fix for bug #22662)
+
 #24169: find would segfault if the -newerXY test was not followed by
 any argument.
 
diff --git a/find/pred.c b/find/pred.c
index 8cfaf74..3a829bc 100644
--- a/find/pred.c
+++ b/find/pred.c
@@ -2101,7 +2101,6 @@ do_time_format (const char *fmt, const struct tm *p, 
const char *ns, size_t ns_s
          size_t i, n;
          size_t final_len = (buf_used
                              + 1u /* for \0 */
-                             - 1u /* because we don't need the initial 
underscore */
                              + ns_size);
          buf = xrealloc (buf, final_len);
          altbuf = xmalloc (final_len);
@@ -2117,15 +2116,17 @@ do_time_format (const char *fmt, const struct tm *p, 
const char *ns, size_t ns_s
              && (2==n) && !isdigit((unsigned char)buf[i+n]))
            {
              const size_t end_of_seconds = i + n;
+             const size_t suffix_len = buf_used-(end_of_seconds)+1;
 
              /* Move the tail (including the \0).  Note that this
               * is a move of an overlapping memory block, so we
               * must use memmove instead of memcpy.  Then insert
               * the nanoseconds (but not its trailing \0).
               */
+             assert (end_of_seconds + ns_size + suffix_len == final_len);
              memmove (buf+end_of_seconds+ns_size,
                       buf+end_of_seconds,
-                      buf_used-(end_of_seconds)+1);
+                      suffix_len);
              memcpy (buf+i+n, ns, ns_size);
            }
          else
-- 
1.5.6.5