Unverified Commit 30d91760 by Edward Thomson Committed by GitHub

Merge pull request #4435 from lhchavez/ubsan-shift-overflow

libFuzzer: Prevent a potential shift overflow
parents 1ddc57b3 53f2c6b1
...@@ -934,19 +934,19 @@ git_off_t get_delta_base( ...@@ -934,19 +934,19 @@ git_off_t get_delta_base(
if (type == GIT_OBJ_OFS_DELTA) { if (type == GIT_OBJ_OFS_DELTA) {
unsigned used = 0; unsigned used = 0;
unsigned char c = base_info[used++]; unsigned char c = base_info[used++];
base_offset = c & 127; size_t unsigned_base_offset = c & 127;
while (c & 128) { while (c & 128) {
if (left <= used) if (left <= used)
return GIT_EBUFS; return GIT_EBUFS;
base_offset += 1; unsigned_base_offset += 1;
if (!base_offset || MSB(base_offset, 7)) if (!unsigned_base_offset || MSB(unsigned_base_offset, 7))
return 0; /* overflow */ return 0; /* overflow */
c = base_info[used++]; c = base_info[used++];
base_offset = (base_offset << 7) + (c & 127); unsigned_base_offset = (unsigned_base_offset << 7) + (c & 127);
} }
base_offset = delta_obj_offset - base_offset; if (unsigned_base_offset == 0 || (size_t)delta_obj_offset <= unsigned_base_offset)
if (base_offset <= 0 || base_offset >= delta_obj_offset)
return 0; /* out of bound */ return 0; /* out of bound */
base_offset = delta_obj_offset - unsigned_base_offset;
*curpos += used; *curpos += used;
} else if (type == GIT_OBJ_REF_DELTA) { } else if (type == GIT_OBJ_REF_DELTA) {
/* If we have the cooperative cache, search in it first */ /* If we have the cooperative cache, search in it first */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment