Commit c8aaba24 by lhchavez

libFuzzer: Fix missing trailer crash

This change fixes an invalid memory access when the trailer is missing /
corrupt.

Found using libFuzzer.
parent 1bf173c3
...@@ -951,6 +951,10 @@ int git_indexer_commit(git_indexer *idx, git_transfer_progress *stats) ...@@ -951,6 +951,10 @@ int git_indexer_commit(git_indexer *idx, git_transfer_progress *stats)
giterr_set(GITERR_INDEXER, "unexpected data at the end of the pack"); giterr_set(GITERR_INDEXER, "unexpected data at the end of the pack");
return -1; return -1;
} }
if (idx->off + 20 > idx->pack->mwf.size) {
giterr_set(GITERR_INDEXER, "missing trailer at the end of the pack");
return -1;
}
packfile_trailer = git_mwindow_open(&idx->pack->mwf, &w, idx->pack->mwf.size - GIT_OID_RAWSZ, GIT_OID_RAWSZ, &left); packfile_trailer = git_mwindow_open(&idx->pack->mwf, &w, idx->pack->mwf.size - GIT_OID_RAWSZ, GIT_OID_RAWSZ, &left);
if (packfile_trailer == NULL) { if (packfile_trailer == NULL) {
......
...@@ -87,6 +87,23 @@ void test_pack_indexer__leaky(void) ...@@ -87,6 +87,23 @@ void test_pack_indexer__leaky(void)
git_indexer_free(idx); git_indexer_free(idx);
} }
void test_pack_indexer__missing_trailer(void)
{
git_indexer *idx = 0;
git_transfer_progress stats = { 0 };
cl_git_pass(git_indexer_new(&idx, ".", 0, NULL, NULL, NULL));
/* Truncate a valid packfile */
cl_git_pass(git_indexer_append(
idx, out_of_order_pack, out_of_order_pack_len - 20, &stats));
cl_git_fail(git_indexer_commit(idx, &stats));
cl_assert(giterr_last() != NULL);
cl_assert_equal_i(giterr_last()->klass, GITERR_INDEXER);
git_indexer_free(idx);
}
void test_pack_indexer__fix_thin(void) void test_pack_indexer__fix_thin(void)
{ {
git_indexer *idx = NULL; git_indexer *idx = NULL;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment