[PATCH] pretty: avoid buffer overflow in format_person_part

[PATCH] pretty: avoid buffer overflow in format_person_part

[Jeff King]

When we parse the name and email from a commit to
pretty-print them, we usually can just put the result
directly into our strbuf result. However, if we are going to
use the mailmap, then we must first copy them into a
NUL-terminated buffer to feed to the mailmap machinery.

We did so by using strlcpy into a static buffer, but we used
it wrong. We fed it the length of the substring we wanted to
copy, but never checked that that length was less than the
size of the destination buffer.

The simplest fix is to just use snprintf to copy the
substring properly while still respecting the destination
buffer's size. It might seem like replacing the static
buffer with a strbuf would help, but we need to feed a
static buffer to the mailmap machinery anyway, so there's
not much benefit to handling arbitrary sizes.

A more ideal solution would be for mailmap to grow an
interface that:

  1. Takes a pointer and length combination, instead of
     assuming a NUL-terminated string.

  2. Returns a pointer to the mailmap's allocated string,
     rather than copying it into the buffer.

Then we could avoid the need for an extra buffer entirely.
However, doing this would involve a lot of refactoring of
mailmap and of string_list (which mailmap uses to store the
map itself). For now, let's do the simplest thing to fix the
bug.

Signed-off-by: Jeff King <peff@peff.net>
---
Current git will not generate commits with names long enough to overflow
here. With my recent series, that is no longer the case. Of course, that
is not really relevant; a malicious attacker is free to craft a bogus
commit directly with hash-object.

 pretty.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pretty.c b/pretty.c
index 02a0a2b..986e114 100644
--- a/pretty.c
+++ b/pretty.c
@@ -547,8 +547,10 @@ static size_t format_person_part(struct strbuf *sb, char part,
 	mail_end = s.mail_end;
 
 	if (part == 'N' || part == 'E') { /* mailmap lookup */
-		strlcpy(person_name, name_start, name_end - name_start + 1);
-		strlcpy(person_mail, mail_start, mail_end - mail_start + 1);
+		snprintf(person_name, sizeof(person_name), "%.*s",
+			 (int)(name_end - name_start), name_start);
+		snprintf(person_mail, sizeof(person_mail), "%.*s",
+			 (int)(mail_end - mail_start), mail_start);
 		mailmap_name(person_mail, sizeof(person_mail), person_name, sizeof(person_name));
 		name_start = person_name;
 		name_end = name_start + strlen(person_name);
-- 
1.7.9.7.33.gc430a50

Re: [PATCH] pretty: avoid buffer overflow in format_person_part

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> A more ideal solution would be for mailmap to grow an
> interface that:
>
>   1. Takes a pointer and length combination, instead of
>      assuming a NUL-terminated string.
>
>   2. Returns a pointer to the mailmap's allocated string,
>      rather than copying it into the buffer.

I was looking at René's patch to refs codepath that converted some "we
allocate because callee wants to have NUL-terminated strings" functions to
take counted strings (or whatever we want to call it---perhaps "string
slices"?), and it appears that we may benefit if more callers that do not
have to own strings that comes to them used them instead of NUL-terminated
strings as their interface.  At some deep point near the leaf of the
callchain, they may need to be converted in order to call external API
(read: POSIX) that takes NUL-terminated strings, but internal callchain
like the mailmap one, if done carefully, should let us avoid extra
allocations.