diff options
author | Patrick Steinhardt <ps@pks.im> | 2018-10-18 11:32:48 +0200 |
---|---|---|
committer | Patrick Steinhardt <ps@pks.im> | 2018-10-26 14:20:35 +0200 |
commit | 5ce26b187b52f60d4ac4862bea2a4d8a7b0da0a6 (patch) | |
tree | eafd3fa19325b4b1898434e291cb99c3fb040933 | |
parent | 76e57b4e953d05311746874b7601922975b1f539 (diff) | |
download | libgit2-5ce26b187b52f60d4ac4862bea2a4d8a7b0da0a6.tar.gz |
signature: avoid out-of-bounds reads when parsing signature dates
We use `git__strtol64` and `git__strtol32` to parse the trailing commit
or author date and timezone of signatures. As signatures are usually
part of a commit or tag object and thus essentially untrusted data, the
buffer may be misformatted and may not be `NUL` terminated. This may
lead to an out-of-bounds read.
Fix the issue by using `git__strntol64` and `git__strntol32` instead.
(cherry picked from commit 3db9aa6f79711103a331a2bbbd044a3c37d4f136)
-rw-r--r-- | src/signature.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/signature.c b/src/signature.c index cd6852326..91864bb88 100644 --- a/src/signature.c +++ b/src/signature.c @@ -231,7 +231,8 @@ int git_signature__parse(git_signature *sig, const char **buffer_out, const char *time_start = email_end + 2; const char *time_end; - if (git__strtol64(&sig->when.time, time_start, &time_end, 10) < 0) { + if (git__strntol64(&sig->when.time, time_start, + buffer_end - time_start, &time_end, 10) < 0) { git__free(sig->name); git__free(sig->email); sig->name = sig->email = NULL; @@ -246,8 +247,9 @@ int git_signature__parse(git_signature *sig, const char **buffer_out, tz_start = time_end + 1; if ((tz_start[0] != '-' && tz_start[0] != '+') || - git__strtol32(&offset, tz_start + 1, &tz_end, 10) < 0) { - //malformed timezone, just assume it's zero + git__strntol32(&offset, tz_start + 1, + buffer_end - tz_start + 1, &tz_end, 10) < 0) { + /* malformed timezone, just assume it's zero */ offset = 0; } |