1. 10 Mar, 2018 27 commits
  2. 08 Mar, 2018 6 commits
    • Merge pull request #4572 from pks-t/pks/index-secfixes · dd2d5381
      Security fixes for reading index v4
      Patrick Steinhardt committed
    • index: error out on unreasonable prefix-compressed path lengths · 6f4d04b5
      When computing the complete path length from the encoded
      prefix-compressed path, we end up just allocating the complete path
      without ever checking what the encoded path length actually is. This can
      easily lead to a denial of service by just encoding an unreasonable long
      path name inside of the index. Git already enforces a maximum path
      length of 4096 bytes. As we also have that enforcement ready in some
      places, just make sure that the resulting path is smaller than
      GIT_PATH_MAX.
      
      Reported-by: Krishna Ram Prakash R <krp@gtux.in>
      Reported-by: Vivek Parikh <viv0411.parikh@gmail.com>
      Patrick Steinhardt committed
    • index: fix out-of-bounds read with invalid index entry prefix length · 6ddd286e
      The index format in version 4 has prefix-compressed entries, where every
      index entry can compress its path by using a path prefix of the previous
      entry. Since implmenting support for this index format version in commit
      5625d86b (index: support index v4, 2016-05-17), though, we do not
      correctly verify that the prefix length that we want to reuse is
      actually smaller or equal to the amount of characters than the length of
      the previous index entry's path. This can lead to a an integer underflow
      and subsequently to an out-of-bounds read.
      
      Fix this by verifying that the prefix is actually smaller than the
      previous entry's path length.
      
      Reported-by: Krishna Ram Prakash R <krp@gtux.in>
      Reported-by: Vivek Parikh <viv0411.parikh@gmail.com>
      Patrick Steinhardt committed
    • index: convert `read_entry` to return entry size via an out-param · b6756821
      The function `read_entry` does not conform to our usual coding style of
      returning stuff via the out parameter and to use the return value for
      reporting errors. Due to most of our code conforming to that pattern, it
      has become quite natural for us to actually return `-1` in case there is
      any error, which has also slipped in with commit 5625d86b (index:
      support index v4, 2016-05-17). As the function returns an `size_t` only,
      though, the return value is wrapped around, causing the caller of
      `read_tree` to continue with an invalid index entry. Ultimately, this
      can lead to a double-free.
      
      Improve code and fix the bug by converting the function to return the
      index entry size via an out parameter and only using the return value to
      indicate errors.
      
      Reported-by: Krishna Ram Prakash R <krp@gtux.in>
      Reported-by: Vivek Parikh <viv0411.parikh@gmail.com>
      Patrick Steinhardt committed
  3. 07 Mar, 2018 7 commits