Commit 3db9aa6f79711103a331a2bbbd044a3c37d4f136
2018-10-18T11:32:48
signature: avoid out-of-bounds reads when parsing signature dates We use `git__strtol64` and `git__strtol32` to parse the trailing commit or author date and timezone of signatures. As signatures are usually part of a commit or tag object and thus essentially untrusted data, the buffer may be misformatted and may not be `NUL` terminated. This may lead to an out-of-bounds read. Fix the issue by using `git__strntol64` and `git__strntol32` instead.
diff --git a/src/signature.c b/src/signature.c
index 286d0a6..91864bb 100644
--- a/src/signature.c
+++ b/src/signature.c
@@ -231,7 +231,8 @@ int git_signature__parse(git_signature *sig, const char **buffer_out,
const char *time_start = email_end + 2;
const char *time_end;
- if (git__strtol64(&sig->when.time, time_start, &time_end, 10) < 0) {
+ if (git__strntol64(&sig->when.time, time_start,
+ buffer_end - time_start, &time_end, 10) < 0) {
git__free(sig->name);
git__free(sig->email);
sig->name = sig->email = NULL;
@@ -246,7 +247,8 @@ int git_signature__parse(git_signature *sig, const char **buffer_out,
tz_start = time_end + 1;
if ((tz_start[0] != '-' && tz_start[0] != '+') ||
- git__strtol32(&offset, tz_start + 1, &tz_end, 10) < 0) {
+ git__strntol32(&offset, tz_start + 1,
+ buffer_end - tz_start + 1, &tz_end, 10) < 0) {
/* malformed timezone, just assume it's zero */
offset = 0;
}