diff options
| author | Patrick Steinhardt <ps@pks.im> | 2018-11-09 19:32:08 +0100 |
|---|---|---|
| committer | Patrick Steinhardt <ps@pks.im> | 2018-11-09 19:32:08 +0100 |
| commit | 52f859fd534e3c16c2c03b9a2375f00a50f3996e (patch) | |
| tree | 8e3e1a5f9b0896c85760bcb333a56b93f840d798 /src/commit.c | |
| parent | fa7aba70d8c1bc68cd2572d808c66059df6da989 (diff) | |
| download | libgit2-52f859fd534e3c16c2c03b9a2375f00a50f3996e.tar.gz | |
signature: fix out-of-bounds read when parsing timezone offset
When parsing a signature's timezone offset, we first check whether there
is a timezone at all by verifying that there are still bytes left to
read following the time itself. The check thus looks like `time_end + 1
< buffer_end`, which is actually correct in this case. After setting the
timezone's start pointer to that location, we compute the remaining
bytes by using the formula `buffer_end - tz_start + 1`, re-using the
previous `time_end + 1`. But this is in fact missing the braces around
`(tz_start + 1)`, thus leading to an overestimation of the remaining
bytes by a length of two. In case of a non-NUL terminated buffer, this
will result in an overflow.
The function `git_signature__parse` is only used in two locations. First
is `git_signature_from_buffer`, which only accepts a string without a
length. The string thus necessarily has to be NUL terminated and cannot
trigger the issue.
The other function is `git_commit__parse_raw`, which can in fact trigger
the error as it may receive non-NUL terminated commit data. But as
objects read from the ODB are always NUL-terminated by us as a
cautionary measure, it cannot trigger the issue either.
In other words, this error does not have any impact on security.
Diffstat (limited to 'src/commit.c')
0 files changed, 0 insertions, 0 deletions