tree-cache: avoid out-of-bound reads when parsing trees

We use the `git__strtol32` function to parse the child and entry count of treecaches from the index, which do not accept a buffer length. As the buffer that is being passed in is untrusted data and may thus be malformed and may not contain a terminating `NUL` byte, we can overrun the buffer and thus perform an out-of-bounds read. Fix the issue by uzing `git__strntol32` instead.

tree-cache: avoid out-of-bound reads when parsing trees
We use the `git__strtol32` function to parse the child and entry count of treecaches from the index, which do not accept a buffer length. As the buffer that is being passed in is untrusted data and may thus be malformed and may not contain a terminating `NUL` byte, we can overrun the buffer and thus perform an out-of-bounds read. Fix the issue by uzing `git__strntol32` instead.
21652ee9 · Patrick Steinhardt · 68deb2cc · 21652ee9
Commit 21652ee9 authored Oct 18, 2018 by Patrick Steinhardt
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

src/tree-cache.c
+2 -2

No files found.
--- a/src/tree-cache.c
+++ b/src/tree-cache.c
@@ -91,7 +91,7 @@ static int read_tree_internal(git_tree_cache **out,
 		return -1;

 	/* Blank-terminated ASCII decimal number of entries in this tree */
-	if (git__strtol32(&count, buffer, &buffer, 10) < 0)
+	if (git__strntol32(&count, buffer, buffer_end - buffer, &buffer, 10) < 0)
 		goto corrupted;

 	tree->entry_count = count;
@@ -100,7 +100,7 @@ static int read_tree_internal(git_tree_cache **out,
 		goto corrupted;

 	 /* Number of children of the tree, newline-terminated */
-	if (git__strtol32(&count, buffer, &buffer, 10) < 0 || count < 0)
+	if (git__strntol32(&count, buffer, buffer_end - buffer, &buffer, 10) < 0 || count < 0)
 		goto corrupted;

 	tree->children_count = count;