Avoid potential use of uninitialized in ASN1_time_parse

When parsing an UTCTime into a struct tm that wasn't cleared by the caller,
the years would be added to the already present value, which could give an
incorrect result.  This is an issue in ASN1_UTCTIME_cmp_time_t(), which is
practically unused.  Fix this by always zeroing the passed struct tm.

Issue reported by Olivier Taïbi, thanks!

ok jsing

1 files changed, 3 insertions, 4 deletions

diff --git a/src/lib/libcrypto/asn1/a_time_tm.c b/src/lib/libcrypto/asn1/a_time_tm.c
index b6e22cbd27..33959afe63 100644
--- a/src/lib/libcrypto/asn1/a_time_tm.c
+++ b/src/lib/libcrypto/asn1/a_time_tm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_time_tm.c,v 1.15 2018/04/25 11:48:21 tb Exp $ */
+/* $OpenBSD: a_time_tm.c,v 1.16 2020/12/16 18:35:59 tb Exp $ */
 /*
  * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
  *
@@ -163,10 +163,9 @@ ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode)
                 return (-1);
 
         lt = tm;
-        if (lt == NULL) {
-                memset(&ltm, 0, sizeof(ltm));
+        if (lt == NULL)
                 lt = &ltm;
-        }
+        memset(lt, 0, sizeof(*lt));
 
         /* Timezone is required and must be GMT (Zulu). */
         if (bytes[len - 1] != 'Z')