signature: avoid out-of-bounds reads when parsing signature dates

We use `git__strtol64` and `git__strtol32` to parse the trailing commit
or author date and timezone of signatures. As signatures are usually
part of a commit or tag object and thus essentially untrusted data, the
buffer may be misformatted and may not be `NUL` terminated. This may
lead to an out-of-bounds read.

Fix the issue by using `git__strntol64` and `git__strntol32` instead.

(cherry picked from commit 3db9aa6f79711103a331a2bbbd044a3c37d4f136)

1 files changed, 5 insertions, 3 deletions

diff --git a/src/signature.c b/src/signature.c
index cd6852326..91864bb88 100644
--- a/src/signature.c
+++ b/src/signature.c
@@ -231,7 +231,8 @@ int git_signature__parse(git_signature *sig, const char **buffer_out,
 		const char *time_start = email_end + 2;
 		const char *time_end;
 
-		if (git__strtol64(&sig->when.time, time_start, &time_end, 10) < 0) {
+		if (git__strntol64(&sig->when.time, time_start,
+				   buffer_end - time_start, &time_end, 10) < 0) {
 			git__free(sig->name);
 			git__free(sig->email);
 			sig->name = sig->email = NULL;
@@ -246,8 +247,9 @@ int git_signature__parse(git_signature *sig, const char **buffer_out,
 			tz_start = time_end + 1;
 
 			if ((tz_start[0] != '-' && tz_start[0] != '+') ||
-				git__strtol32(&offset, tz_start + 1, &tz_end, 10) < 0) {
-				//malformed timezone, just assume it's zero
+			    git__strntol32(&offset, tz_start + 1,
+					   buffer_end - tz_start + 1, &tz_end, 10) < 0) {
+				/* malformed timezone, just assume it's zero */
 				offset = 0;
 			}