Merge pull request #4575 from pks-t/pks/index-secfixes-master

Index parsing fixes

Merge pull request #4575 from pks-t/pks/index-secfixes-master
Index parsing fixes
7b66bfe2 · Edward Thomson · GitHub · 358cc2e2 · 3db1af1f · 7b66bfe2
Unverified Commit 7b66bfe2 authored Mar 12, 2018 by Edward Thomson Committed by GitHub Mar 12, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 18 deletions

src/index.c
+27 -18

No files found.
--- a/src/index.c
+++ b/src/index.c
@@ -2299,8 +2299,9 @@ static size_t index_entry_size(size_t path_len, size_t varint_len, uint32_t flag
 	}
 }
-static size_t read_entry(
+static int read_entry(
 	git_index_entry **out,
+	size_t *out_size,
 	git_index *index,
 	const void *buffer,
 	size_t buffer_size,
@@ -2314,7 +2315,7 @@ static size_t read_entry(
 	char *tmp_path = NULL;
 	if (INDEX_FOOTER_SIZE + minimal_entry_size > buffer_size)
-		return 0;
+		return -1;
 	/* buffer is not guaranteed to be aligned */
 	memcpy(&source, buffer, sizeof(struct entry_short));
@@ -2356,7 +2357,7 @@ static size_t read_entry(
 			path_end = memchr(path_ptr, '\0', buffer_size);
 			if (path_end == NULL)
-				return 0;
+				return -1;
 			path_length = path_end - path_ptr;
 		}
@@ -2364,19 +2365,24 @@ static size_t read_entry(
 		entry_size = index_entry_size(path_length, 0, entry.flags);
 		entry.path = (char *)path_ptr;
 	} else {
-		size_t varint_len;
+		size_t varint_len, last_len, prefix_len, suffix_len, path_len;
-		size_t strip_len = git_decode_varint((const unsigned char *)path_ptr,
+		uintmax_t strip_len;
-						     &varint_len);
-		size_t last_len = strlen(last);
+		strip_len = git_decode_varint((const unsigned char *)path_ptr, &varint_len);
-		size_t prefix_len = last_len - strip_len;
+		last_len = strlen(last);
-		size_t suffix_len = strlen(path_ptr + varint_len);
-		size_t path_len;
+		if (varint_len == 0 || last_len < strip_len)
-		if (varint_len == 0)
 			return index_error_invalid("incorrect prefix length");
+		prefix_len = last_len - strip_len;
+		suffix_len = strlen(path_ptr + varint_len);
 		GITERR_CHECK_ALLOC_ADD(&path_len, prefix_len, suffix_len);
 		GITERR_CHECK_ALLOC_ADD(&path_len, path_len, 1);
+		if (path_len > GIT_PATH_MAX)
+			return index_error_invalid("unreasonable path length");
 		tmp_path = git__malloc(path_len);
 		GITERR_CHECK_ALLOC(tmp_path);
@@ -2386,16 +2392,20 @@ static size_t read_entry(
 		entry.path = tmp_path;
 	}
+	if (entry_size == 0)
+		return -1;
 	if (INDEX_FOOTER_SIZE + entry_size > buffer_size)
-		return 0;
+		return -1;
 	if (index_entry_dup(out, index, &entry) < 0) {
 		git__free(tmp_path);
-		return 0;
+		return -1;
 	}
 	git__free(tmp_path);
-	return entry_size;
+	*out_size = entry_size;
+	return 0;
 }
 static int read_header(struct index_header *dest, const void *buffer)
@@ -2499,10 +2509,9 @@ static int parse_index(git_index *index, const char *buffer, size_t buffer_size)
 	/* Parse all the entries */
 	for (i = 0; i < header.entry_count && buffer_size > INDEX_FOOTER_SIZE; ++i) {
 		git_index_entry *entry = NULL;
-		size_t entry_size = read_entry(&entry, index, buffer, buffer_size, last);
+		size_t entry_size;
-		/* 0 bytes read means an object corruption */
+		if ((error = read_entry(&entry, &entry_size, index, buffer, buffer_size, last)) < 0) {
-		if (entry_size == 0) {
 			error = index_error_invalid("invalid entry");
 			goto done;
 		}