blame: don't overflow time buffer

When showing the raw timestamp, we format the numeric seconds-since-epoch into a buffer, followed by the timezone string. This string has come straight from the commit object. A well-formed object should have a timezone string of only a few bytes, but we could be operating on data pushed by a malicious user. Signed-off-by: N Jeff King <peff@peff.net> Signed-off-by: N Junio C Hamano <gitster@pobox.com>

blame: don't overflow time buffer
When showing the raw timestamp, we format the numeric seconds-since-epoch into a buffer, followed by the timezone string. This string has come straight from the commit object. A well-formed object should have a timezone string of only a few bytes, but we could be operating on data pushed by a malicious user. Signed-off-by: N Jeff King <peff@peff.net> Signed-off-by: N Junio C Hamano <gitster@pobox.com>
c3ea0515 · Jeff King · Junio C Hamano · c2857fb8 · c3ea0515
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

builtin/blame.c builtin/blame.c +1 -1

未找到文件。
--- a/builtin/blame.c
+++ b/builtin/blame.c
@@ -1598,7 +1598,7 @@ static const char *format_time(unsigned long time, const char *tz_str,
 	int tz;

 	if (show_raw_time) {
-		sprintf(time_buf, "%lu %s", time, tz_str);
+		snprintf(time_buf, sizeof(time_buf), "%lu %s", time, tz_str);
 	}
 	else {
 		tz = atoi(tz_str);