Commit 014d4955 by Erik Aigner Committed by Patrick Steinhardt

apply: prevent OOB read when parsing source buffer

When parsing the patch image from a string, we split the string
by newlines to get a line-based view of it. To split, we use
`memchr` on the buffer and limit the buffer length by the
original length provided by the caller. This works just fine for
the first line, but for every subsequent line we need to actually
subtract the amount of bytes that we have already read.

The above issue can be easily triggered by having a source buffer
with at least two lines, where the second line does _not_ end in
a newline. Given a string "foo\nb", we have an original length of
five bytes. After having extracted the first line, we will point
to 'b' and again try to `memchr(p, '\n', 5)`, resulting in an
out-of-bounds read of four bytes.

Fix the issue by correctly subtracting the amount of bytes
already read.
parent 1a107fac
......@@ -23,6 +23,7 @@ Dmitry Kovega
Emeric Fermas
Emmanuel Rodriguez
Eric Myhre
Erik Aigner
Florian Forster
Holger Weiss
Ingmar Vanhassel
......
......@@ -59,7 +59,7 @@ static int patch_image_init_fromstr(
git_pool_init(&out->pool, sizeof(git_diff_line));
for (start = in; start < in + in_len; start = end) {
end = memchr(start, '\n', in_len);
end = memchr(start, '\n', in_len - (start - in));
if (end == NULL)
end = in + in_len;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment