[PATCH/RFC 4/9] add sanity length check to format_person_part

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Will Palmer <wmpalmer@gmail.com>
To: git@vger.kernel.org
Cc: Junio C Hamano <gitster@pobox.com>, Jeff King <peff@peff.net>,
	Will Palmer <wmpalmer@gmail.com>
Subject: [PATCH/RFC 4/9] add sanity length check to format_person_part
Date: Tue, 29 Mar 2011 00:17:26 +0100	[thread overview]
Message-ID: <1301354251-23380-5-git-send-email-wmpalmer@gmail.com> (raw)
In-Reply-To: <1301354251-23380-1-git-send-email-wmpalmer@gmail.com>

previously we were relying on the length check from ident.c, ie: relying
on having been given a good object to parse in the first place. If the
object should have triggered the "Impossibly long personal identifier"
check at commit-time, for example, it would have resulted in an overflow
here.

This is another one which, due to the input constraints, would not have
been a real-world problem for regular usage. I was able to cause an
overflow by viewing the log of a commit with an impossibly-long Author,
created via hash-object. This is admittedly a pretty far-fetched
scenario, though it could potentially be considered a security issue.

In any case, the lack of it rubbed me the wrong way when I was
refactoring this section, and it is trivial to add the sanity check.

Signed-off-by: Will Palmer <wmpalmer@gmail.com>
---
 pretty.c |   20 ++++++++++++++------
 1 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/pretty.c b/pretty.c
index d5a724f..8a288f0 100644
--- a/pretty.c
+++ b/pretty.c
@@ -449,6 +449,7 @@ static size_t format_person_part(struct strbuf *sb, char part,
 	unsigned long date = 0;
 	char *ep;
 	const char *name_start, *name_end, *mail_start, *mail_end, *msg_end = msg+len;
+	size_t name_len, mail_len;
 	char person_name[1024];
 	char person_mail[1024];
 
@@ -469,29 +470,36 @@ static size_t format_person_part(struct strbuf *sb, char part,
 	name_end = msg+end;
 	while (name_end > name_start && isspace(*(name_end-1)))
 		name_end--;
+	name_len = name_end-name_start;
+	if (name_len >= sizeof(person_name))
+		goto skip;
 	mail_start = msg+end+1;
 	mail_end = mail_start;
 	while (mail_end < msg_end && *mail_end != '>')
 		mail_end++;
+	mail_len = mail_end-mail_start;
+	if (mail_len >= sizeof(person_mail))
+		goto skip;
 	if (mail_end == msg_end)
 		goto skip;
 	end = mail_end-msg;
 
 	if (part == 'N' || part == 'E') { /* mailmap lookup */
-		strlcpy(person_name, name_start, name_end-name_start+1);
-		strlcpy(person_mail, mail_start, mail_end-mail_start+1);
+		/* copy up to, and including, the end delimiter */
+		strlcpy(person_name, name_start, name_len+1);
+		strlcpy(person_mail, mail_start, mail_len+1);
 		mailmap_name(person_mail, sizeof(person_mail), person_name, sizeof(person_name));
 		name_start = person_name;
-		name_end = name_start + strlen(person_name);
+		name_len = strlen(person_name);
 		mail_start = person_mail;
-		mail_end = mail_start +  strlen(person_mail);
+		mail_len = strlen(person_mail);
 	}
 	if (part == 'n' || part == 'N') {	/* name */
-		strbuf_add(sb, name_start, name_end-name_start);
+		strbuf_add(sb, name_start, name_len);
 		return placeholder_len;
 	}
 	if (part == 'e' || part == 'E') {	/* email */
-		strbuf_add(sb, mail_start, mail_end-mail_start);
+		strbuf_add(sb, mail_start, mail_len);
 		return placeholder_len;
 	}
 
-- 
1.7.4.2

next prev parent reply	other threads:[~2011-03-28 23:18 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-03-28 23:17 [PATCH/RFC 0/9] add long forms for format placeholders Will Palmer
2011-03-28 23:17 ` [PATCH/RFC 1/9] mention --date=raw in rev-list and blame help Will Palmer
2011-03-28 23:17 ` [PATCH/RFC 2/9] add support for --date=unix to complement %at Will Palmer
2011-03-28 23:17 ` [PATCH/RFC 3/9] interpret %C(invalid) as we would %%C(invalid) Will Palmer
2011-03-28 23:17 ` Will Palmer [this message]
2011-03-28 23:17 ` [PATCH/RFC 5/9] refactor pretty.c into "parse" and "format" steps Will Palmer
2011-03-28 23:17 ` [PATCH/RFC 6/9] add long-form %(wrap:...) for %w(...) Will Palmer
2011-03-28 23:17 ` [PATCH/RFC 7/9] add long form %(color:...) for %C(...) Will Palmer
2011-03-28 23:17 ` [PATCH/RFC 8/9] add long forms %(authordate) and %(committerdate) Will Palmer
2011-03-28 23:17 ` [PATCH/RFC 9/9] add long forms for author and committer identity Will Palmer
2011-03-29  0:28 ` [PATCH/RFC 0/9] add long forms for format placeholders Junio C Hamano
2011-03-29  6:44   ` Will Palmer
2011-03-29  6:46   ` Michael J Gruber
2011-03-29  7:27     ` Will Palmer

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d5a724f dfblob:8a288f0 )
 OR (
bs:"[PATCH/RFC 4/9] add sanity length check to format_person_part" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1301354251-23380-5-git-send-email-wmpalmer@gmail.com \
    --to=wmpalmer@gmail.com \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=peff@peff.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).