Commit ac1751f6 by Patrick Steinhardt

signature: avoid out-of-bounds reads when parsing signature dates

We use `git__strtol64` and `git__strtol32` to parse the trailing commit
or author date and timezone of signatures. As signatures are usually
part of a commit or tag object and thus essentially untrusted data, the
buffer may be misformatted and may not be `NUL` terminated. This may
lead to an out-of-bounds read.

Fix the issue by using `git__strntol64` and `git__strntol32` instead.

(cherry picked from commit 3db9aa6f)
parent da0e03ce
...@@ -228,7 +228,8 @@ int git_signature__parse(git_signature *sig, const char **buffer_out, ...@@ -228,7 +228,8 @@ int git_signature__parse(git_signature *sig, const char **buffer_out,
const char *time_start = email_end + 2; const char *time_start = email_end + 2;
const char *time_end; const char *time_end;
if (git__strtol64(&sig->when.time, time_start, &time_end, 10) < 0) { if (git__strntol64(&sig->when.time, time_start,
buffer_end - time_start, &time_end, 10) < 0) {
git__free(sig->name); git__free(sig->name);
git__free(sig->email); git__free(sig->email);
sig->name = sig->email = NULL; sig->name = sig->email = NULL;
...@@ -243,8 +244,9 @@ int git_signature__parse(git_signature *sig, const char **buffer_out, ...@@ -243,8 +244,9 @@ int git_signature__parse(git_signature *sig, const char **buffer_out,
tz_start = time_end + 1; tz_start = time_end + 1;
if ((tz_start[0] != '-' && tz_start[0] != '+') || if ((tz_start[0] != '-' && tz_start[0] != '+') ||
git__strtol32(&offset, tz_start + 1, &tz_end, 10) < 0) { git__strntol32(&offset, tz_start + 1,
//malformed timezone, just assume it's zero buffer_end - tz_start + 1, &tz_end, 10) < 0) {
/* malformed timezone, just assume it's zero */
offset = 0; offset = 0;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment