Skip to content

G
git2
Commit 238e54bc by Ramsay Jones
Options

Add an 64-bit offset table index bounds check for v2 pack index 

Signed-off-by: Ramsay Jones <ramsay@ramsay1.demon.co.uk>
parent 255a0dab
Showing with 17 additions and 2 deletions
src/odb.c
...@@ -746,8 +746,8 @@ static int pack_openidx_v2(git_pack *p) ...@@ -746,8 +746,8 @@ static int pack_openidx_v2(git_pack *p)
unsigned char *data = p->idx_map.data; unsigned char *data = p->idx_map.data;
uint32_t *src_fanout = (uint32_t *)(data + 8); uint32_t *src_fanout = (uint32_t *)(data + 8);
uint32_t *im_fanout; uint32_t *im_fanout;
size_t sz; size_t sz, o64_sz, o64_len;
int j; uint32_t j;
if ((im_fanout = git__malloc(sizeof(*im_fanout) * 256)) == NULL) if ((im_fanout = git__malloc(sizeof(*im_fanout) * 256)) == NULL)
return GIT_ERROR; return GIT_ERROR;
...@@ -775,6 +775,21 @@ static int pack_openidx_v2(git_pack *p) ...@@ -775,6 +775,21 @@ static int pack_openidx_v2(git_pack *p)
p->im_crc = (uint32_t *)(p->im_oid + 20 * p->obj_cnt); p->im_crc = (uint32_t *)(p->im_oid + 20 * p->obj_cnt);
p->im_offset32 = p->im_crc + p->obj_cnt; p->im_offset32 = p->im_crc + p->obj_cnt;
p->im_offset64 = p->im_offset32 + p->obj_cnt; p->im_offset64 = p->im_offset32 + p->obj_cnt;
/* check 64-bit offset table index values are within bounds */
o64_sz = p->idx_map.len - sz;
o64_len = o64_sz / 8;
for (j = 0; j < p->obj_cnt; j++) {
uint32_t o32 = decode32(p->im_offset32 + j);
if (o32 & 0x80000000) {
uint32_t o64_idx = (o32 & ~0x80000000);
if (o64_idx >= o64_len) {
free(im_fanout);
return GIT_ERROR;
}
}
}
return GIT_SUCCESS; return GIT_SUCCESS;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment