blame: don't overflow time buffer

peff · gitster · commit c3ea051544cb · 2011-12-13T21:09:06.000-08:00
When showing the raw timestamp, we format the numeric
seconds-since-epoch into a buffer, followed by the timezone
string. This string has come straight from the commit
object. A well-formed object should have a timezone string
of only a few bytes, but we could be operating on data
pushed by a malicious user.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
diff --git a/builtin/blame.c b/builtin/blame.c
@@ -1598,7 +1598,7 @@ static const char *format_time(unsigned long time, const char *tz_str,
 	int tz;
 
 	if (show_raw_time) {
-		sprintf(time_buf, "%lu %s", time, tz_str);
+		snprintf(time_buf, sizeof(time_buf), "%lu %s", time, tz_str);
 	}
 	else {
 		tz = atoi(tz_str);

Original file line number	Diff line number	Diff line change
`@@ -1598,7 +1598,7 @@ static const char format_time(unsigned long time, const char tz_str,`
`1598`	`1598`	`int tz;`
`1599`	`1599`
`1600`	`1600`	`if (show_raw_time) {`
`1601`		`- sprintf(time_buf, "%lu %s", time, tz_str);`
	`1601`	`+ snprintf(time_buf, sizeof(time_buf), "%lu %s", time, tz_str);`
`1602`	`1602`	`}`
`1603`	`1603`	`else {`
`1604`	`1604`	`tz = atoi(tz_str);`