diff options
author | Patrick Steinhardt <ps@pks.im> | 2018-10-18 11:32:48 +0200 |
---|---|---|
committer | Patrick Steinhardt <ps@pks.im> | 2018-10-19 13:52:39 +0200 |
commit | c6d95b2a57a663390da6c2250bc322e66bd3c4b5 (patch) | |
tree | ecfe889631457ac29b50fae346cd26353ddc7c8c | |
parent | fa56db3ca5a9e5c2e2eac5c8d00187de7556e220 (diff) | |
download | libgit2-c6d95b2a57a663390da6c2250bc322e66bd3c4b5.tar.gz |
signature: avoid out-of-bounds reads when parsing signature dates
We use `git__strtol64` and `git__strtol32` to parse the trailing commit
or author date and timezone of signatures. As signatures are usually
part of a commit or tag object and thus essentially untrusted data, the
buffer may be misformatted and may not be `NUL` terminated. This may
lead to an out-of-bounds read.
Fix the issue by using `git__strntol64` and `git__strntol32` instead.
(cherry picked from commit 3db9aa6f79711103a331a2bbbd044a3c37d4f136)
-rw-r--r-- | src/signature.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/signature.c b/src/signature.c index 25e0ee723..2e0cfe01a 100644 --- a/src/signature.c +++ b/src/signature.c @@ -228,7 +228,8 @@ int git_signature__parse(git_signature *sig, const char **buffer_out, const char *time_start = email_end + 2; const char *time_end; - if (git__strtol64(&sig->when.time, time_start, &time_end, 10) < 0) { + if (git__strntol64(&sig->when.time, time_start, + buffer_end - time_start, &time_end, 10) < 0) { git__free(sig->name); git__free(sig->email); sig->name = sig->email = NULL; @@ -243,8 +244,9 @@ int git_signature__parse(git_signature *sig, const char **buffer_out, tz_start = time_end + 1; if ((tz_start[0] != '-' && tz_start[0] != '+') || - git__strtol32(&offset, tz_start + 1, &tz_end, 10) < 0) { - //malformed timezone, just assume it's zero + git__strntol32(&offset, tz_start + 1, + buffer_end - tz_start + 1, &tz_end, 10) < 0) { + /* malformed timezone, just assume it's zero */ offset = 0; } |