Commit 49213f27 by Patrick Steinhardt

tree-cache: avoid out-of-bound reads when parsing trees

We use the `git__strtol32` function to parse the child and entry count
of treecaches from the index, which do not accept a buffer length. As
the buffer that is being passed in is untrusted data and may thus be
malformed and may not contain a terminating `NUL` byte, we can overrun
the buffer and thus perform an out-of-bounds read.

Fix the issue by uzing `git__strntol32` instead.

(cherry picked from commit 21652ee9)
parent ef7b7c73
...@@ -90,7 +90,7 @@ static int read_tree_internal(git_tree_cache **out, ...@@ -90,7 +90,7 @@ static int read_tree_internal(git_tree_cache **out,
return -1; return -1;
/* Blank-terminated ASCII decimal number of entries in this tree */ /* Blank-terminated ASCII decimal number of entries in this tree */
if (git__strtol32(&count, buffer, &buffer, 10) < 0) if (git__strntol32(&count, buffer, buffer_end - buffer, &buffer, 10) < 0)
goto corrupted; goto corrupted;
tree->entry_count = count; tree->entry_count = count;
...@@ -99,7 +99,7 @@ static int read_tree_internal(git_tree_cache **out, ...@@ -99,7 +99,7 @@ static int read_tree_internal(git_tree_cache **out,
goto corrupted; goto corrupted;
/* Number of children of the tree, newline-terminated */ /* Number of children of the tree, newline-terminated */
if (git__strtol32(&count, buffer, &buffer, 10) < 0 || count < 0) if (git__strntol32(&count, buffer, buffer_end - buffer, &buffer, 10) < 0 || count < 0)
goto corrupted; goto corrupted;
tree->children_count = count; tree->children_count = count;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment