diff options
| author | Patrick Steinhardt <ps@pks.im> | 2018-10-18 12:32:48 +0300 |
|---|---|---|
| committer | Patrick Steinhardt <ps@pks.im> | 2018-10-26 15:35:16 +0300 |
| commit | ac1751f6df72b82df0e5f8b9ca4a8ad894d33ae1 (patch) | |
| tree | ca52c820b6cc5292a649599f187bf4e17f8bda0e | |
| parent | da0e03ce0298dd0fc409ac4abf06fbad0d20e60a (diff) | |
signature: avoid out-of-bounds reads when parsing signature dates
We use `git__strtol64` and `git__strtol32` to parse the trailing commit
or author date and timezone of signatures. As signatures are usually
part of a commit or tag object and thus essentially untrusted data, the
buffer may be misformatted and may not be `NUL` terminated. This may
lead to an out-of-bounds read.
Fix the issue by using `git__strntol64` and `git__strntol32` instead.
(cherry picked from commit 3db9aa6f79711103a331a2bbbd044a3c37d4f136)
| -rw-r--r-- | src/signature.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/signature.c b/src/signature.c index 25e0ee723..2e0cfe01a 100644 --- a/src/signature.c +++ b/src/signature.c @@ -228,7 +228,8 @@ int git_signature__parse(git_signature *sig, const char **buffer_out, const char *time_start = email_end + 2; const char *time_end; - if (git__strtol64(&sig->when.time, time_start, &time_end, 10) < 0) { + if (git__strntol64(&sig->when.time, time_start, + buffer_end - time_start, &time_end, 10) < 0) { git__free(sig->name); git__free(sig->email); sig->name = sig->email = NULL; @@ -243,8 +244,9 @@ int git_signature__parse(git_signature *sig, const char **buffer_out, tz_start = time_end + 1; if ((tz_start[0] != '-' && tz_start[0] != '+') || - git__strtol32(&offset, tz_start + 1, &tz_end, 10) < 0) { - //malformed timezone, just assume it's zero + git__strntol32(&offset, tz_start + 1, + buffer_end - tz_start + 1, &tz_end, 10) < 0) { + /* malformed timezone, just assume it's zero */ offset = 0; } |