sequencer: don't die() on bogus user-edited timestamp

read_author_ident() is careful to handle errors "gently" when parsing
"rebase-merge/author-script" by printing a suitable warning and
returning NULL; it never die()'s. One possible reason that parsing might
fail is that "rebase-merge/author-script" has been hand-edited in such a
way which corrupts it or the information it contains.

However, read_author_ident() invokes fmt_ident() which is not so careful
about failing "gently". It will die() if it encounters a malformed
timestamp. Since read_author_ident() doesn't want to die() and since
it's dealing with possibly hand-edited data, take care to avoid passing
a bogus timestamp to fmt_ident().

A more "correctly engineered" fix would be to add a "gentle" version of
fmt_ident(), however, such a change it outside the scope of the bug-fix
series. If fmt_ident() ever does grow a "gentle" cousin, then the manual
timestamp check added here can be retired.

Signed-off-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/sequencer.c b/sequencer.c
index 580516959dac54aadec12a24b55d92c680ed090d..944dea6997b431938dcd3815e53b2fcae03ba9e0 100644 (file)
--- a/sequencer.c
+++ b/sequencer.c
@@ -739,6 +739,15 @@ static const char *read_author_ident(struct strbuf *buf)
                return NULL;
        }
 
+       /* validate date since fmt_ident() will die() on bad value */
+       if (parse_date(val[2], &out)){
+               warning(_("invalid date format '%s' in '%s'"),
+                       val[2], rebase_path_author_script());
+               strbuf_release(&out);
+               return NULL;
+       }
+
+       strbuf_reset(&out);
        strbuf_addstr(&out, fmt_ident(val[0], val[1], val[2], 0));
        strbuf_swap(buf, &out);
        strbuf_release(&out);