Commit 28662c13 by lhchavez

libFuzzer: Prevent a potential shift overflow

The type of |base_offset| in get_delta_base() is `git_off_t`, which is a
signed `long`. That means that we need to make sure that the 8 most
significant bits are zero (instead of 7) to avoid an overflow when it is
shifted by 7 bits.

Found using libFuzzer.
parent 429bb357
...@@ -939,7 +939,7 @@ git_off_t get_delta_base( ...@@ -939,7 +939,7 @@ git_off_t get_delta_base(
if (left <= used) if (left <= used)
return GIT_EBUFS; return GIT_EBUFS;
base_offset += 1; base_offset += 1;
if (!base_offset || MSB(base_offset, 7)) if (!base_offset || MSB(base_offset, 8))
return 0; /* overflow */ return 0; /* overflow */
c = base_info[used++]; c = base_info[used++];
base_offset = (base_offset << 7) + (c & 127); base_offset = (base_offset << 7) + (c & 127);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment